Skip to main content

Apache HttpClient EUVDEUVD-2026-24630

| CVE-2026-40542 HIGH
Missing Critical Step in Authentication (CWE-304)
2026-04-22 apache GHSA-v468-qcjx-r72w
7.3
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

8
Patch released
May 01, 2026 - 17:12 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 17:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 15:22 vuln.today
CVSS changed
Apr 22, 2026 - 15:22 NVD
7.3 (HIGH)
Patch available
Apr 22, 2026 - 09:01 EUVD
EUVD ID Assigned
Apr 22, 2026 - 08:00 euvd
EUVD-2026-24630
Analysis Generated
Apr 22, 2026 - 08:00 vuln.today
CVE Published
Apr 22, 2026 - 07:07 nvd
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 maven packages depend on org.apache.httpcomponents.client5:httpclient5 (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.6-alpha1.

DescriptionCVE.org

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

AnalysisAI

Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Achieve MITM network position
Delivery
Intercept SCRAM-SHA-256 handshake
Exploit
Forge server proof message
Execution
Client accepts invalid authentication
Persist
Impersonate legitimate server
Impact
Intercept/manipulate authenticated session data

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to use Apache HttpClient 5.6 specifically configured with SCRAM-SHA-256 as the authentication mechanism. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.3 reflects network-accessible exploitation (AV:N) with low complexity (AC:L) requiring no authentication (PR:N) or user interaction (UI:N), resulting in partial impact across all CIA triad components (C:L/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a man-in-the-middle position on the network path between an Apache HttpClient 5.6 application and its authentication server intercepts SCRAM-SHA-256 handshake traffic. When the client sends authentication credentials, the attacker responds with a fabricated server proof message without possessing the shared secret. …
Remediation Upgrade Apache HttpClient to version 5.6.1 immediately, as confirmed by Apache Software Foundation advisory at https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all applications and services using Apache HttpClient 5.6 through dependency scanning and inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy