CVE-2026-55688: CWE-1275: Sensitive Cookie with Improper SameSite Attribute in AsyncHttpClient async-http-client
AsyncHttpClient versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11 contain a vulnerability in the ThreadSafeCookieStore where cookies are stored under their Domain attribute without verifying if the responding host is authorized to set cookies for that domain. This allows an attacker-controlled host to plant cookies scoped to unrelated domains, which the client may send in later requests to those domains. The issue affects applications using a single AsyncHttpClient instance with the default shared CookieStore to access both attacker-influenced and trusted hosts. The vulnerability is fixed in versions 2.16.0 and 3.0.11.
AI Analysis
Technical Summary
The AsyncHttpClient library's ThreadSafeCookieStore improperly stores cookies based solely on their Domain attribute without validating that the responding host is permitted to set cookies for that domain. This flaw enables cookie tossing or cookie injection, where an attacker-controlled host can set cookies for unrelated domains. Consequently, the client may send these injected cookies to trusted domains in subsequent requests, potentially leading to unintended cookie sharing or session confusion. This affects versions >=2.0.0 <2.16.0 and 3.0.0.Beta1 up to but not including 3.0.11. The vulnerability has been addressed in AsyncHttpClient versions 2.16.0 and 3.0.11.
Potential Impact
An attacker controlling a host that the client connects to can inject cookies scoped to unrelated domains into the client's cookie store. This may cause the client to send attacker-injected cookies to trusted domains, potentially leading to session confusion or other integrity issues. The CVSS score of 4.0 (medium) reflects that the vulnerability requires network access with high attack complexity and no privileges or user interaction, and impacts integrity without affecting confidentiality or availability.
Mitigation Recommendations
Upgrade AsyncHttpClient to version 2.16.0 or later, or 3.0.11 or later, where this vulnerability is fixed. No other mitigations are indicated. Patch status is not explicitly stated in the vendor advisory content, but the description confirms the issue is fixed in these versions.
CVE-2026-55688: CWE-1275: Sensitive Cookie with Improper SameSite Attribute in AsyncHttpClient async-http-client
Description
AsyncHttpClient versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11 contain a vulnerability in the ThreadSafeCookieStore where cookies are stored under their Domain attribute without verifying if the responding host is authorized to set cookies for that domain. This allows an attacker-controlled host to plant cookies scoped to unrelated domains, which the client may send in later requests to those domains. The issue affects applications using a single AsyncHttpClient instance with the default shared CookieStore to access both attacker-influenced and trusted hosts. The vulnerability is fixed in versions 2.16.0 and 3.0.11.
CVSS v3.1
Score 4.0medium
Affected software
pkg:maven/org.asynchttpclient/async-http-clientRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The AsyncHttpClient library's ThreadSafeCookieStore improperly stores cookies based solely on their Domain attribute without validating that the responding host is permitted to set cookies for that domain. This flaw enables cookie tossing or cookie injection, where an attacker-controlled host can set cookies for unrelated domains. Consequently, the client may send these injected cookies to trusted domains in subsequent requests, potentially leading to unintended cookie sharing or session confusion. This affects versions >=2.0.0 <2.16.0 and 3.0.0.Beta1 up to but not including 3.0.11. The vulnerability has been addressed in AsyncHttpClient versions 2.16.0 and 3.0.11.
Potential Impact
An attacker controlling a host that the client connects to can inject cookies scoped to unrelated domains into the client's cookie store. This may cause the client to send attacker-injected cookies to trusted domains, potentially leading to session confusion or other integrity issues. The CVSS score of 4.0 (medium) reflects that the vulnerability requires network access with high attack complexity and no privileges or user interaction, and impacts integrity without affecting confidentiality or availability.
Mitigation Recommendations
Upgrade AsyncHttpClient to version 2.16.0 or later, or 3.0.11 or later, where this vulnerability is fixed. No other mitigations are indicated. Patch status is not explicitly stated in the vendor advisory content, but the description confirms the issue is fixed in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-17T00:13:10.650Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a456fd127e9c79719097e6d
Added to database: 07/01/2026, 19:51:45 UTC
Last enriched: 07/01/2026, 21:20:19 UTC
Last updated: 07/01/2026, 21:20:19 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.