Cookie Injection Vulnerability in AsyncHttpClient Library by AsyncHttpClient
CVE-2026-55688

4MEDIUM

Key Information:

Vendor
CVE Published:
1 July 2026

What is CVE-2026-55688?

The AsyncHttpClient library enables Java applications to perform HTTP requests and process responses asynchronously. However, a security flaw exists in the ThreadSafeCookieStore implementation, which erroneously accepts cookies from hosts without verifying if they are permitted to set cookies for a given domain. This enables an attacker to inject cookies scoped to a different domain, leading to potential cookie leaks and session hijacking. Applications using shared instances of AsyncHttpClient that connect to both untrusted and trusted hosts are particularly vulnerable. To protect against this issue, users should upgrade to AsyncHttpClient version 2.16.0 or 3.0.11 or later.

Affected Version(s)

async-http-client >= 2.0.0, < 2.16.0 < 2.0.0, 2.16.0

async-http-client >= 3.0.0.Beta1, < 3.0.11 < 3.0.0.Beta1, 3.0.11

References

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.