CVE-2026-40542
published 2026-04-22CVE-2026-40542: Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper…
high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | httpclient | — | — |
| apache | httpclient | — | — |
| apache_software_foundation | apache_httpclient | >= 5.6 < 5.6.1 | 5.6.1 |
| candlepinproject | candlepin | — | — |
| debian | dogtag-pki | — | — |
| debian | puppetserver | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| javapackages-tools_201801 | httpcomponents-client | — | — |
| javapackages-tools_201801 | maven-doxia | — | — |
| javapackages-tools_201801 | maven-resolver | — | — |
| javapackages-tools_201801 | maven-wagon | — | — |
| jenkins | jenkins | — | — |
| maven_3.9 | httpcomponents-client | — | — |
| maven_3.9 | maven | — | — |
| maven_3.9 | maven-resolver | — | — |
| maven_3.9 | maven-wagon | — | — |
| mta | mta-cli-rhel9 | — | — |
| mta | mta-java-external-provider-rhel9 | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| offline-knowledge-portal | rhokp-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-source-rhel9 | — | — |