Bug#1134337: async-http-client: CVE-2026-40490

Salvatore Bonaccorso carnil at debian.org
Sat Apr 18 20:32:02 BST 2026 

Source: async-http-client
Version: 2.12.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for async-http-client.

CVE-2026-40490[0]:
| The AsyncHttpClient (AHC) library allows Java applications to easily
| execute HTTP requests and asynchronously process HTTP responses.
| When redirect following is enabled (followRedirect(true)), versions
| of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization
| and Proxy-Authorization headers along with Realm credentials to
| arbitrary redirect targets regardless of domain, scheme, or port
| changes. This leaks credentials on cross-domain redirects and HTTPS-
| to-HTTP downgrades. Additionally, even when
| stripAuthorizationOnRedirect is set to true, the Realm object
| containing plaintext credentials is still propagated to the redirect
| request, causing credential re-generation for Basic and Digest
| authentication schemes via NettyRequestFactory. An attacker who
| controls a redirect target (via open redirect, DNS rebinding, or
| MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or
| any other Authorization header value. The fix in versions 3.0.9 and
| 2.14.5 automatically strips Authorization and Proxy-Authorization
| headers and clears Realm credentials whenever a redirect crosses
| origin boundaries (different scheme, host, or port) or downgrades
| from HTTPS to HTTP. For users unable to upgrade, set
| `(stripAuthorizationOnRedirect(true))` in the client config and
| avoid using Realm-based authentication with redirect following
| enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is
| insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm
| bypass still re-generates credentials. Alternatively, disable
| redirect following (`followRedirect(false)`) and handle redirects
| manually with origin validation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40490
    https://www.cve.org/CVERecord?id=CVE-2026-40490
[1] https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list