CVE-2026-40490: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AsyncHttpClient async-http-client
AsyncHttpClient versions prior to 3. 0. 9 and 2. 14. 5 improperly forward Authorization and Proxy-Authorization headers, along with Realm credentials, to redirect targets regardless of domain, scheme, or port changes. This behavior leaks sensitive credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Even with stripAuthorizationOnRedirect enabled, Realm credentials are still propagated, allowing credential regeneration. An attacker controlling a redirect target can capture these credentials. The issue is fixed in versions 3. 0.
AI Analysis
Technical Summary
The AsyncHttpClient library for Java applications has a vulnerability (CVE-2026-40490) where, when redirect following is enabled, Authorization and Proxy-Authorization headers and Realm credentials are forwarded to arbitrary redirect targets without validating origin changes. This leads to exposure of sensitive authentication information including Bearer tokens and Basic auth credentials. The flaw affects versions >= 3.0.0.Beta1 and < 3.0.9, and versions below 2.14.5. The vulnerability allows attackers who control redirect destinations via open redirect, DNS rebinding, or man-in-the-middle attacks to capture these credentials. The fix in versions 3.0.9 and 2.14.5 ensures headers and credentials are stripped on cross-origin or HTTPS-to-HTTP redirects. Workarounds for unpatched versions include disabling redirect following or avoiding Realm-based authentication with redirects.
Potential Impact
This vulnerability results in the exposure of sensitive authentication credentials to unauthorized actors during HTTP redirects, potentially allowing attackers to capture Bearer tokens, Basic authentication credentials, or other Authorization header values. The impact is confidentiality loss without direct integrity or availability effects. The CVSS 3.1 score is 6.8 (medium severity), reflecting network attack vector, high complexity, no privileges required, no user interaction, scope change, and high confidentiality impact.
Mitigation Recommendations
A fix is available in AsyncHttpClient versions 3.0.9 and 2.14.5, which automatically strip Authorization and Proxy-Authorization headers and clear Realm credentials on cross-origin and HTTPS-to-HTTP redirects. Users should upgrade to these versions to remediate the vulnerability. For those unable to upgrade immediately, it is recommended to disable redirect following (followRedirect(false)) and handle redirects manually with origin validation. Setting stripAuthorizationOnRedirect(true) alone is insufficient on vulnerable versions due to Realm credential propagation and should be combined with avoiding Realm-based authentication or disabling redirects.
CVE-2026-40490: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in AsyncHttpClient async-http-client
Description
AsyncHttpClient versions prior to 3. 0. 9 and 2. 14. 5 improperly forward Authorization and Proxy-Authorization headers, along with Realm credentials, to redirect targets regardless of domain, scheme, or port changes. This behavior leaks sensitive credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Even with stripAuthorizationOnRedirect enabled, Realm credentials are still propagated, allowing credential regeneration. An attacker controlling a redirect target can capture these credentials. The issue is fixed in versions 3. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The AsyncHttpClient library for Java applications has a vulnerability (CVE-2026-40490) where, when redirect following is enabled, Authorization and Proxy-Authorization headers and Realm credentials are forwarded to arbitrary redirect targets without validating origin changes. This leads to exposure of sensitive authentication information including Bearer tokens and Basic auth credentials. The flaw affects versions >= 3.0.0.Beta1 and < 3.0.9, and versions below 2.14.5. The vulnerability allows attackers who control redirect destinations via open redirect, DNS rebinding, or man-in-the-middle attacks to capture these credentials. The fix in versions 3.0.9 and 2.14.5 ensures headers and credentials are stripped on cross-origin or HTTPS-to-HTTP redirects. Workarounds for unpatched versions include disabling redirect following or avoiding Realm-based authentication with redirects.
Potential Impact
This vulnerability results in the exposure of sensitive authentication credentials to unauthorized actors during HTTP redirects, potentially allowing attackers to capture Bearer tokens, Basic authentication credentials, or other Authorization header values. The impact is confidentiality loss without direct integrity or availability effects. The CVSS 3.1 score is 6.8 (medium severity), reflecting network attack vector, high complexity, no privileges required, no user interaction, scope change, and high confidentiality impact.
Mitigation Recommendations
A fix is available in AsyncHttpClient versions 3.0.9 and 2.14.5, which automatically strip Authorization and Proxy-Authorization headers and clear Realm credentials on cross-origin and HTTPS-to-HTTP redirects. Users should upgrade to these versions to remediate the vulnerability. For those unable to upgrade immediately, it is recommended to disable redirect following (followRedirect(false)) and handle redirects manually with origin validation. Setting stripAuthorizationOnRedirect(true) alone is insufficient on vulnerable versions due to Realm credential propagation and should be combined with avoiding Realm-based authentication or disabling redirects.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-13T19:50:42.114Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2e080bdfbbecc59c723b4
Added to database: 4/18/2026, 1:38:08 AM
Last enriched: 4/18/2026, 1:53:15 AM
Last updated: 4/18/2026, 4:32:19 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.