CVE-2026-40542

CVE-2026-40542: Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification

Vendor Apache Software Foundation

Product Apache HttpClient

Weakness CWE-304

Published April 22, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

Key dates

Disclosure timeline

April 22, 2026 CVE published

April 22, 2026 Record updated