High severity7.3NVD Advisory· Published Apr 22, 2026· Updated May 1, 2026
CVE-2026-40542
CVE-2026-40542
Description
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.httpcomponents.client5:httpclient5Maven | >= 5.6-alpha1, < 5.6.1 | 5.6.1 |
Affected products
58- cpe:2.3:a:apache:httpclient:5.6:-:*:*:*:*:*:*
- osv-coords57 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-apiserverpkg:apk/chainguard/dependency-track-bundledpkg:apk/chainguard/opensearch-3pkg:apk/chainguard/opensearch-3-alertingpkg:apk/chainguard/opensearch-3-anomaly-detectionpkg:apk/chainguard/opensearch-3-cross-cluster-replicationpkg:apk/chainguard/opensearch-3-k-nnpkg:apk/chainguard/opensearch-3-ml-commonspkg:apk/chainguard/opensearch-3-notificationspkg:apk/chainguard/opensearch-3-securitypkg:apk/chainguard/opensearch-3-sqlpkg:apk/chainguard/opensearch-fips-3pkg:apk/chainguard/opensearch-fips-3-alertingpkg:apk/chainguard/opensearch-fips-3-anomaly-detectionpkg:apk/chainguard/opensearch-fips-3-cross-cluster-replicationpkg:apk/chainguard/opensearch-fips-3-k-nnpkg:apk/chainguard/opensearch-fips-3-ml-commonspkg:apk/chainguard/opensearch-fips-3-notificationspkg:apk/chainguard/opensearch-fips-3-securitypkg:apk/chainguard/opensearch-fips-3-sqlpkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-pinotpkg:apk/wolfi/apache-nifipkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:apk/wolfi/opensearch-3pkg:apk/wolfi/opensearch-3-alertingpkg:apk/wolfi/opensearch-3-anomaly-detectionpkg:apk/wolfi/opensearch-3-cross-cluster-replicationpkg:apk/wolfi/opensearch-3-k-nnpkg:apk/wolfi/opensearch-3-ml-commonspkg:apk/wolfi/opensearch-3-notificationspkg:apk/wolfi/opensearch-3-securitypkg:apk/wolfi/opensearch-3-sqlpkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-pinotpkg:maven/org.apache.httpcomponents.client5/httpclient5
< 2.9.0-r7+ 56 more
- (no CPE)range: < 2.9.0-r7
- (no CPE)range: < 4.14.1-r2
- (no CPE)range: < 4.14.1-r1
- (no CPE)range: < 4.14.1-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 1.5.0-r2
- (no CPE)range: < 1.5.0-r6
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 2.9.0-r7
- (no CPE)range: < 4.14.1-r2
- (no CPE)range: < 4.14.1-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 3.6.0-r2
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: < 481-r0
- (no CPE)range: >= 5.6-alpha1, < 5.6.1
Patches
Vulnerability mechanics
References
5- www.openwall.com/lists/oss-security/2026/04/22/5nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-v468-qcjx-r72wghsaADVISORY
- lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40542ghsaADVISORY
- github.com/apache/httpcomponents-client/commit/726eac2323d370435d8afca1e0540aa099927f18ghsaWEB
News mentions
0No linked articles in our index yet.