CVE-2026-40490: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AsyncHttpClient async-http-client
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
AI Analysis
Technical Summary
The AsyncHttpClient library for Java allows HTTP requests with asynchronous response handling. In versions prior to 3.0.9 and 2.14.5, when redirect following is enabled, Authorization and Proxy-Authorization headers, including Realm credentials, are forwarded to redirect targets without validating origin changes. This leads to exposure of sensitive authentication credentials on cross-domain redirects or HTTPS-to-HTTP downgrades. The vulnerability enables attackers controlling redirect targets (via open redirect, DNS rebinding, or MITM) to capture these credentials. The fix in versions 3.0.9 and 2.14.5 ensures headers and Realm credentials are stripped when redirects cross origin boundaries or downgrade security. Configuration options like stripAuthorizationOnRedirect(true) are insufficient alone on vulnerable versions due to Realm credential regeneration. Mitigation includes upgrading to fixed versions, disabling redirect following, or avoiding Realm authentication with redirects.
Potential Impact
This vulnerability can lead to unauthorized disclosure of sensitive authentication credentials such as Bearer tokens and Basic auth credentials to attackers controlling redirect targets. This exposure occurs during HTTP redirects that cross domain, scheme, or port boundaries, including HTTPS-to-HTTP downgrades. The impact is confidentiality loss of credentials, potentially enabling unauthorized access to protected resources. There is no indication of integrity or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available in AsyncHttpClient versions 3.0.9 and 2.14.5, which properly strip Authorization and Proxy-Authorization headers and clear Realm credentials on cross-origin or HTTPS-to-HTTP redirects. Users should upgrade to these versions to fully mitigate the vulnerability. For those unable to upgrade immediately, it is recommended to disable redirect following (followRedirect(false)) and handle redirects manually with origin validation, or avoid using Realm-based authentication with redirect following enabled. Setting stripAuthorizationOnRedirect(true) alone is insufficient on vulnerable versions due to Realm credential regeneration.
CVE-2026-40490: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AsyncHttpClient async-http-client
Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
CVSS v3.1
Score 6.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The AsyncHttpClient library for Java allows HTTP requests with asynchronous response handling. In versions prior to 3.0.9 and 2.14.5, when redirect following is enabled, Authorization and Proxy-Authorization headers, including Realm credentials, are forwarded to redirect targets without validating origin changes. This leads to exposure of sensitive authentication credentials on cross-domain redirects or HTTPS-to-HTTP downgrades. The vulnerability enables attackers controlling redirect targets (via open redirect, DNS rebinding, or MITM) to capture these credentials. The fix in versions 3.0.9 and 2.14.5 ensures headers and Realm credentials are stripped when redirects cross origin boundaries or downgrade security. Configuration options like stripAuthorizationOnRedirect(true) are insufficient alone on vulnerable versions due to Realm credential regeneration. Mitigation includes upgrading to fixed versions, disabling redirect following, or avoiding Realm authentication with redirects.
Potential Impact
This vulnerability can lead to unauthorized disclosure of sensitive authentication credentials such as Bearer tokens and Basic auth credentials to attackers controlling redirect targets. This exposure occurs during HTTP redirects that cross domain, scheme, or port boundaries, including HTTPS-to-HTTP downgrades. The impact is confidentiality loss of credentials, potentially enabling unauthorized access to protected resources. There is no indication of integrity or availability impact. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available in AsyncHttpClient versions 3.0.9 and 2.14.5, which properly strip Authorization and Proxy-Authorization headers and clear Realm credentials on cross-origin or HTTPS-to-HTTP redirects. Users should upgrade to these versions to fully mitigate the vulnerability. For those unable to upgrade immediately, it is recommended to disable redirect following (followRedirect(false)) and handle redirects manually with origin validation, or avoid using Realm-based authentication with redirect following enabled. Setting stripAuthorizationOnRedirect(true) alone is insufficient on vulnerable versions due to Realm credential regeneration.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.114Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2e080bdfbbecc59c723b4
Added to database: 4/18/2026, 1:38:08 AM
Last enriched: 4/25/2026, 2:56:56 AM
Last updated: 6/1/2026, 10:03:26 PM
Views: 83
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.