CVE-2026-40542: Apache HttpClient accepts SCRAM-SHA-256 authentication without proper mutual authentication verification

April 22, 2026 (updated April 29, 2026)

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

References

github.com/advisories/GHSA-v468-qcjx-r72w
github.com/apache/httpcomponents-client
github.com/apache/httpcomponents-client/commit/726eac2323d370435d8afca1e0540aa099927f18
lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
nvd.nist.gov/vuln/detail/CVE-2026-40542

Code Behaviors & Features

Detect and mitigate CVE-2026-40542 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →