CVE-2026-40542: CWE-304: Missing Critical Step in Authentication in Apache Software Foundation Apache HttpClient
Apache HttpClient version 5. 6 contains a vulnerability (CVE-2026-40542) where a critical step in SCRAM-SHA-256 authentication is missing, causing the client to accept authentication without proper mutual verification. This flaw can lead to partial compromise of confidentiality, integrity, and availability. The issue is fixed in version 5. 6. 1, which users are recommended to upgrade to.
AI Analysis
Technical Summary
CVE-2026-40542 is a vulnerability in Apache HttpClient 5.6 involving a missing critical step in the SCRAM-SHA-256 authentication process. This omission allows the client to accept authentication without proper mutual authentication verification, weakening the authentication mechanism. The vulnerability is classified under CWE-304 (Missing Critical Step in Authentication). The CVSS v3.1 base score is 7.3 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. The vendor recommends upgrading to version 5.6.1 to address this issue.
Potential Impact
An attacker can exploit this vulnerability to bypass proper mutual authentication in SCRAM-SHA-256, potentially leading to unauthorized access or data compromise. The CVSS score indicates a high severity impact on confidentiality, integrity, and availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache HttpClient from version 5.6 to version 5.6.1, where this vulnerability is fixed. No other remediation details or temporary mitigations are provided. Patch status is not explicitly confirmed in the vendor advisory fields, but the description clearly states that version 5.6.1 fixes the issue.
CVE-2026-40542: CWE-304: Missing Critical Step in Authentication in Apache Software Foundation Apache HttpClient
Description
Apache HttpClient version 5. 6 contains a vulnerability (CVE-2026-40542) where a critical step in SCRAM-SHA-256 authentication is missing, causing the client to accept authentication without proper mutual verification. This flaw can lead to partial compromise of confidentiality, integrity, and availability. The issue is fixed in version 5. 6. 1, which users are recommended to upgrade to.
CVSS v3.1
Score 7.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40542 is a vulnerability in Apache HttpClient 5.6 involving a missing critical step in the SCRAM-SHA-256 authentication process. This omission allows the client to accept authentication without proper mutual authentication verification, weakening the authentication mechanism. The vulnerability is classified under CWE-304 (Missing Critical Step in Authentication). The CVSS v3.1 base score is 7.3 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. The vendor recommends upgrading to version 5.6.1 to address this issue.
Potential Impact
An attacker can exploit this vulnerability to bypass proper mutual authentication in SCRAM-SHA-256, potentially leading to unauthorized access or data compromise. The CVSS score indicates a high severity impact on confidentiality, integrity, and availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Users should upgrade Apache HttpClient from version 5.6 to version 5.6.1, where this vulnerability is fixed. No other remediation details or temporary mitigations are provided. Patch status is not explicitly confirmed in the vendor advisory fields, but the description clearly states that version 5.6.1 fixes the issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-14T09:11:14.268Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e87cbe19fe3cd2cd7bf96a
Added to database: 4/22/2026, 7:46:06 AM
Last enriched: 4/29/2026, 11:15:44 AM
Last updated: 6/5/2026, 2:26:52 PM
Views: 213
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.