Skip to main content

Apache Httpclient

1 CVEs product

Monthly

CVE-2026-40542 Maven HIGH PATCH GHSA This Week

Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.

Apache Information Disclosure Apache Httpclient
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Apache HttpClient 5.6 skips mutual authentication verification in SCRAM-SHA-256 handshakes, allowing network attackers to impersonate legitimate servers without credentials. Affected clients accept unauthenticated server responses, enabling man-in-the-middle attacks that compromise confidentiality and integrity of authenticated sessions. Apache released patched version 5.6.1 addressing the missing authentication check. EPSS score of 0.03% suggests low current exploitation activity, though the network-accessible attack surface (AV:N/AC:L/PR:N) and availability of detailed vendor advisory increase exploitation risk once attackers adapt tooling for SCRAM protocol manipulation.

Apache Information Disclosure Apache Httpclient
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy