Cookie Injection Vulnerability in AsyncHttpClient Library by AsyncHttpClient
CVE-2026-55688
What is CVE-2026-55688?
The AsyncHttpClient library enables Java applications to perform HTTP requests and process responses asynchronously. However, a security flaw exists in the ThreadSafeCookieStore implementation, which erroneously accepts cookies from hosts without verifying if they are permitted to set cookies for a given domain. This enables an attacker to inject cookies scoped to a different domain, leading to potential cookie leaks and session hijacking. Applications using shared instances of AsyncHttpClient that connect to both untrusted and trusted hosts are particularly vulnerable. To protect against this issue, users should upgrade to AsyncHttpClient version 2.16.0 or 3.0.11 or later.
Affected Version(s)
async-http-client >= 2.0.0, < 2.16.0 < 2.0.0, 2.16.0
async-http-client >= 3.0.0.Beta1, < 3.0.11 < 3.0.0.Beta1, 3.0.11
