GHSA-cmxv-58fp-fm3g · Severity: medium · Ecosystem: maven — AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
Conclusion & alert: CVE-2026-40490 is rated Low Risk (33.2/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.06%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-04-18 | — | 0.06% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 3.1 | MEDIUM |
|
2.2 | 4.0 | [email protected] |
GHSA-cmxv-58fp-fm3g · Severity: medium · Ecosystem: maven — AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-40490 not yet assigned priority: Debian including 1 source packages (async-http-client), 3 status rows across 3 suites (bookworm, bullseye, sid): open 3. | https://security-tracker.debian.org/tracker/CVE-2026-40490 |
ubuntu
|
medium | CVE-2026-40490 medium priority: Ubuntu including 1 source packages (async-http-client), 9 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needs-triage 9. | https://ubuntu.com/security/CVE-2026-40490 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||