EUVD-2026-24630
GHSA-v468-qcjx-r72w
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionNVD
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
AnalysisAI
Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: identify all applications and services using Apache HttpClient 5.6 through dependency scanning and inventory. Within 7 days: upgrade to Apache HttpClient 5.6.1 or later across development, staging, and production environments; verify upgraded libraries in all transitive dependencies. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today