| Name | CVE-2026-40542 |
| Description | Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| httpcomponents-client (PTS) | bullseye | 4.5.13-2 | fixed |
| forky, sid, bookworm, trixie | 4.5.14-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| httpcomponents-client | source | (unstable) | (not affected) | | | |
Notes
- httpcomponents-client <not-affected> (Vulnerable code not present)
https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
Fixed by: https://github.com/apache/httpcomponents-client/commit/1acf00b879d908a869508ceee2edb0fe65b69d73 (rel/5.6.1, 5.6.1-RC1)