PatchSiren cyber security CVE debrief
CVE-2026-40542 Apache Software Foundation CVE debrief
CVE-2026-40542 is a high-severity vulnerability in Apache HttpClient 5.6 that allows an attacker to bypass proper mutual authentication verification for SCRAM-SHA-256 authentication. This vulnerability was published on April 22, 2026, and modified on June 30, 2026. The CVSS score for this vulnerability is 7.3, indicating a high severity. Users are recommended to upgrade to version 5.6.1, which fixes this issue. The vulnerability is caused by a missing critical step in authentication, allowing an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper verification.
- Vendor
- Apache Software Foundation
- Product
- Apache HttpClient
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-22
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-22
- Advisory updated
- 2026-06-30
Who should care
Organizations using Apache HttpClient 5.6 should prioritize upgrading to version 5.6.1 to mitigate this vulnerability. This vulnerability could allow an attacker to bypass authentication, potentially leading to unauthorized access or data breaches. Security teams and developers responsible for maintaining and updating software dependencies should be aware of this issue and take necessary actions.
Technical summary
The vulnerability in Apache HttpClient 5.6 is due to a missing critical step in authentication, specifically for SCRAM-SHA-256 authentication. This allows an attacker to cause the client to accept this authentication method without proper mutual authentication verification. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a high severity. The CWE for this vulnerability is CWE-304, related to Missing Critical Step in Authentication. Red Hat has also provided additional information and potential mitigations for this vulnerability.
Defensive priority
High priority should be given to upgrading Apache HttpClient to version 5.6.1. Security teams should also review and update their inventory of affected systems and monitor for potential exploitation attempts.
Recommended defensive actions
- Upgrade Apache HttpClient to version 5.6.1
- Review and update inventory of affected systems
- Monitor for potential exploitation attempts
- Implement additional authentication verification for SCRAM-SHA-256
- Consider compensating controls for authentication
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. The source item URL provides additional metadata and references related to the vulnerability. Apache and Red Hat have provided information and potential mitigations for this vulnerability.
Official resources
-
CVE-2026-40542 CVE record
CVE.org
-
CVE-2026-40542 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.