CVE-2026-45300
Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak Cookie headers to cross-origin redirect targets. When following a redirect to a different origin, the propagatedHeaders() method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but does not strip the Cookie header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.asynchttpclient:async-http-clientMaven | >= 3.0.0.Beta1, < 3.0.10 | 3.0.10 |
org.asynchttpclient:async-http-clientMaven | >= 2.0.0, < 2.15.0 | 2.15.0 |
Affected products
13>= 2.0.0, < 2.15.0+ 1 more
- (no CPE)range: >= 2.0.0, < 2.15.0
- cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*:*:*:*:*range: >=2.0.0,<2.15.0
- osv-coords11 versionspkg:apk/chainguard/apache-pulsar-4.0pkg:apk/chainguard/apache-pulsar-4.2pkg:apk/chainguard/apache-pulsar-fips-4.0pkg:apk/chainguard/apache-pulsar-fips-4.2pkg:apk/chainguard/druidpkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/tezpkg:apk/wolfi/apache-pulsar-4.2pkg:apk/wolfi/druidpkg:apk/wolfi/tez
< 4.0.10-r2+ 10 more
- (no CPE)range: < 4.0.10-r2
- (no CPE)range: < 4.2.1-r5
- (no CPE)range: < 4.0.9-r18
- (no CPE)range: < 4.2.1-r4
- (no CPE)range: < 37.0.0-r9
- (no CPE)range: < 1.5.0-r10
- (no CPE)range: < 1.5.0-r8
- (no CPE)range: < 0.10.5-r13
- (no CPE)range: < 4.2.1-r5
- (no CPE)range: < 37.0.0-r9
- (no CPE)range: < 0.10.5-r13
Patches
Vulnerability mechanics
References
5- github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9envdPatchWEB
- github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgmnvdExploitMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-fmxf-pm6p-7xgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45300ghsaADVISORY
- github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.