Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Apache HttpClient by Apache Software Foundation

    CVE-2026-40542 (GCVE-0-2026-40542)

    Vulnerability from nvd – Published: 2026-04-22 07:07 – Updated: 2026-06-30 03:19
    VLAI
    Title
    Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
    Summary
    Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-304 - Missing Critical Step in Authentication
    • CWE-325 - Missing Cryptographic Step
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache HttpClient Affected: 5.6 , < 5.6.1 (semver)
    Create a notification for this product.
    Red Hat OpenShift Developer Tools and Services     cpe:/a:redhat:ocp_tools
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Certificate System 10     cpe:/a:redhat:certificate_system:10
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Core Services     cpe:/a:redhat:jboss_core_services:1
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat JBoss Web Server 5     cpe:/a:redhat:jboss_enterprise_web_server:5
    Create a notification for this product.
    Red Hat Red Hat JBoss Web Server 6     cpe:/a:redhat:jboss_enterprise_web_server:6
    Create a notification for this product.
    Red Hat Red Hat Lightspeed for Runtimes Operator     cpe:/a:redhat:lightspeed_for_runtimes:1
    Create a notification for this product.
    Red Hat Red Hat Offline Knowledge Portal     cpe:/a:redhat:offline_knowledge_portal:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Credits
    Rasmus Moorats
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40542",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:14:52.319783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:15:54.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-22T16:23:59.296Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/22/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ocp_tools"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Developer Tools and Services",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Quarkus",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:certificate_system:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Certificate System 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_core_services:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Core Services",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_web_server:5"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Web Server 5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_web_server:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Web Server 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:lightspeed_for_runtimes:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Lightspeed for Runtimes Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:offline_knowledge_portal:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Offline Knowledge Portal",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-22T07:07:21.344Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Apache HttpClient. This vulnerability allows a remote attacker to bypass a critical step in the SCRAM-SHA-256 authentication process. By exploiting this, an attacker can trick the client into accepting authentication without proper mutual verification, potentially compromising the confidentiality and integrity of data."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-325",
                    "description": "Missing Cryptographic Step",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:19:18.550Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-40542"
              },
              {
                "name": "RHBZ#2460518",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460518"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40542.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-22T08:00:57.407Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-22T07:07:21.344Z",
                "value": "Made public."
              }
            ],
            "title": "httpclient: Apache HttpClient: Authentication bypass due to missing mutual authentication verification",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "packageName": "org.apache.httpcomponents.client5:httpclient5",
              "product": "Apache HttpClient",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "5.6.1",
                  "status": "affected",
                  "version": "5.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rasmus Moorats"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eMissing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.\u003c/code\u003e\u003cbr\u003e"
                }
              ],
              "value": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "Important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-304",
                  "description": "CWE-304: Missing Critical Step in Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-22T07:07:21.344Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-40542",
        "datePublished": "2026-04-22T07:07:21.344Z",
        "dateReserved": "2026-04-14T09:11:14.268Z",
        "dateUpdated": "2026-06-30T03:19:18.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40542 (GCVE-0-2026-40542)

    Vulnerability from cvelistv5 – Published: 2026-04-22 07:07 – Updated: 2026-06-30 03:19
    VLAI
    Title
    Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
    Summary
    Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-304 - Missing Critical Step in Authentication
    • CWE-325 - Missing Cryptographic Step
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache HttpClient Affected: 5.6 , < 5.6.1 (semver)
    Create a notification for this product.
    Red Hat OpenShift Developer Tools and Services     cpe:/a:redhat:ocp_tools
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Red Hat Migration Toolkit for Applications 8     cpe:/a:redhat:migration_toolkit_applications:8
    Create a notification for this product.
    Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
    Create a notification for this product.
    Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
    Create a notification for this product.
    Red Hat Red Hat AMQ Clients     cpe:/a:redhat:amq_clients:2023
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 3     cpe:/a:redhat:apicurio_registry:3
    Create a notification for this product.
    Red Hat Red Hat build of Debezium 3     cpe:/a:redhat:debezium:3
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:3
    Create a notification for this product.
    Red Hat Red Hat Certificate System 10     cpe:/a:redhat:certificate_system:10
    Create a notification for this product.
    Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Core Services     cpe:/a:redhat:jboss_core_services:1
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat JBoss Web Server 5     cpe:/a:redhat:jboss_enterprise_web_server:5
    Create a notification for this product.
    Red Hat Red Hat JBoss Web Server 6     cpe:/a:redhat:jboss_enterprise_web_server:6
    Create a notification for this product.
    Red Hat Red Hat Lightspeed for Runtimes Operator     cpe:/a:redhat:lightspeed_for_runtimes:1
    Create a notification for this product.
    Red Hat Red Hat Offline Knowledge Portal     cpe:/a:redhat:offline_knowledge_portal:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
    Create a notification for this product.
    Red Hat Red Hat OpenShift Dev Spaces     cpe:/a:redhat:openshift_devspaces:3
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
    Create a notification for this product.
    Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka 2     cpe:/a:redhat:amq_streams:2
    Create a notification for this product.
    Red Hat streams for Apache Kafka 3     cpe:/a:redhat:amq_streams:3
    Create a notification for this product.
    Credits
    Rasmus Moorats
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40542",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:14:52.319783Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:15:54.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-22T16:23:59.296Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/22/5"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ocp_tools"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Developer Tools and Services",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:cryostat:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Cryostat 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:migration_toolkit_applications:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Migration Toolkit for Applications 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:serverless:1"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Serverless",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_broker:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Broker 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_clients:2023"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat AMQ Clients",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apache_camel_hawtio:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel - HawtIO 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:camel_spring_boot:4"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apache Camel for Spring Boot 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_registry:2"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:apicurio_registry:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Apicurio Registry 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:debezium:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Debezium 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:optaplanner:::el6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OptaPlanner 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:quarkus:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of Quarkus",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:certificate_system:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Certificate System 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_data_grid:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Data Grid 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_core_services:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Core Services",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_application_platform:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jbosseapxp"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_web_server:5"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Web Server 5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_web_server:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat JBoss Web Server 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:lightspeed_for_runtimes:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Lightspeed for Runtimes Operator",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:offline_knowledge_portal:1"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Offline Knowledge Portal",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_devspaces:3"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat OpenShift Dev Spaces",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Process Automation 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:satellite:6"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Satellite 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:red_hat_single_sign_on:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Single Sign-On 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:2"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:amq_streams:3"
                ],
                "defaultStatus": "unaffected",
                "product": "streams for Apache Kafka 3",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-22T07:07:21.344Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in Apache HttpClient. This vulnerability allows a remote attacker to bypass a critical step in the SCRAM-SHA-256 authentication process. By exploiting this, an attacker can trick the client into accepting authentication without proper mutual verification, potentially compromising the confidentiality and integrity of data."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "LOW",
                  "baseScore": 7.3,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-325",
                    "description": "Missing Cryptographic Step",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:19:18.550Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-40542"
              },
              {
                "name": "RHBZ#2460518",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460518"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40542.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-22T08:00:57.407Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-22T07:07:21.344Z",
                "value": "Made public."
              }
            ],
            "title": "httpclient: Apache HttpClient: Authentication bypass due to missing mutual authentication verification",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "packageName": "org.apache.httpcomponents.client5:httpclient5",
              "product": "Apache HttpClient",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "lessThan": "5.6.1",
                  "status": "affected",
                  "version": "5.6",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rasmus Moorats"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003ccode\u003eMissing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.\u003c/code\u003e\u003cbr\u003e"
                }
              ],
              "value": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "Important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-304",
                  "description": "CWE-304: Missing Critical Step in Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-22T07:07:21.344Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2026-40542",
        "datePublished": "2026-04-22T07:07:21.344Z",
        "dateReserved": "2026-04-14T09:11:14.268Z",
        "dateUpdated": "2026-06-30T03:19:18.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }