CVE-2026-40490: AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
(updated )
When redirect following is enabled (followRedirect(true)), AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades.
Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory.
An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value.
References
- github.com/AsyncHttpClient/async-http-client
- github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8
- github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae
- github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5
- github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9
- github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
- github.com/advisories/GHSA-cmxv-58fp-fm3g
- nvd.nist.gov/vuln/detail/CVE-2026-40490
Code Behaviors & Features
Detect and mitigate CVE-2026-40490 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →