PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45300 AsyncHttpClient CVE debrief

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Vendor
AsyncHttpClient
Product
async-http-client
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-08
Advisory published
2026-06-05
Advisory updated
2026-06-08

Who should care

Users of AsyncHttpClient library versions 2.x prior to 2.15.0 and 3.x prior to 3.0.10 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The AsyncHttpClient library has a vulnerability that allows `Cookie` headers to be leaked to cross-origin redirect targets. This can lead to sensitive cookie values being sent to attacker-controlled servers.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to AsyncHttpClient library version 2.15.0 or later for 2.x branch
  • Upgrade to AsyncHttpClient library version 3.0.10 or later for 3.x branch

Evidence notes

The vulnerability was patched in versions 2.15.0 and 3.0.10 of the AsyncHttpClient library.

Official resources

CVE-2026-45300 was published on 2026-06-05T20:17:31.893Z and modified on 2026-06-08T18:37:41.620Z.