Skip to main content

AsyncHttpClient CVE-2026-55688

| EUVDEUVD-2026-41134 MEDIUM
Sensitive Cookie with Improper SameSite Attribute (CWE-1275)
2026-07-01 GitHub_M
4.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.0 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
vuln.today AI
4.0 MEDIUM

AC:H reflects the required shared-CookieStore architecture; PR:N because the attacker only controls a responding HTTP server; S:C because injected cookie crosses to a distinct trusted domain; I:L for cookie-level integrity tampering with no confidentiality or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 21:02 EUVD
Analysis Generated
Jul 01, 2026 - 20:21 vuln.today

DescriptionCVE.org

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without verifying that the responding host is allowed to set a cookie for that domain, leading to a cookie tossing / cookie injection issue. A host the client connects to can therefore plant a cookie scoped to an unrelated domain, and the client will then send that cookie on later requests to that domain. Applications that use a single AsyncHttpClient instance - and thus the default, shared CookieStore - to reach both an attacker-influenced host and a trusted host are impacted. This issue has been fixed in versions 2.16.0 and 3.0.11.

AnalysisAI

Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Operate HTTP server the AHC client will contact
Delivery
Respond with Set-Cookie specifying attacker-chosen Domain attribute
Exploit
AHC stores cookie without domain-origin validation
Install
Shared ThreadSafeCookieStore retains injected cookie across connections
C2
Application subsequently requests trusted target domain
Execute
AHC transmits injected cookie to trusted host
Impact
Trusted host processes attacker-supplied cookie value

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses a single AsyncHttpClient instance - and therefore the default shared ThreadSafeCookieStore - to issue HTTP requests to both (1) an attacker-controlled or attacker-influenced server and (2) a trusted server whose domain the attacker wishes to target, with both connections occurring within the same application process lifetime so the injected cookie persists in the shared store. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N, score 4.0) accurately reflects an architecturally constrained but real threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates a web server that a target Java application calls - for example, as part of a third-party REST API integration or a user-supplied URL fetch. The attacker's server responds to a legitimate request with a Set-Cookie header such as 'session=attacker_value; Domain=internal-auth.example.com', which AHC stores without domain validation. …
Remediation Upgrade async-http-client to version 2.16.0 (for the 2.x stable line) or 3.0.11 (for the 3.x pre-release line), both of which enforce RFC 6265-compliant domain-origin validation in ThreadSafeCookieStore per the vendor advisory at https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-m452-q8c9-rg2f. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2013-2460 CRITICAL POC
9.3 Jun 18

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar

CVE-2024-0195 MEDIUM POC
6.3 Jan 02

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi

CVE-2026-20131 CRITICAL POC
10.0 Mar 04

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV

CVE-2026-34197 HIGH POC
8.8 Apr 07

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t

CVE-2010-5326 CRITICAL POC
10.0 May 13

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all

CVE-2021-44832 MEDIUM
6.6 Dec 28

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r

Share

CVE-2026-55688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy