#1134337 async-http-client: CVE-2026-40490

Package:
src:async-http-client
Source:
src:async-http-client
Submitter:
Salvatore Bonaccorso
Date:
2026-04-18 19:33:02 UTC
Severity:
normal
Tags:
#1134337#5
Date:
2026-04-18 19:32:02 UTC
From:
To:
Hi,

The following vulnerability was published for async-http-client.

CVE-2026-40490[0]:
| The AsyncHttpClient (AHC) library allows Java applications to easily
| execute HTTP requests and asynchronously process HTTP responses.
| When redirect following is enabled (followRedirect(true)), versions
| of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization
| and Proxy-Authorization headers along with Realm credentials to
| arbitrary redirect targets regardless of domain, scheme, or port
| changes. This leaks credentials on cross-domain redirects and HTTPS-
| to-HTTP downgrades. Additionally, even when
| stripAuthorizationOnRedirect is set to true, the Realm object
| containing plaintext credentials is still propagated to the redirect
| request, causing credential re-generation for Basic and Digest
| authentication schemes via NettyRequestFactory. An attacker who
| controls a redirect target (via open redirect, DNS rebinding, or
| MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or
| any other Authorization header value. The fix in versions 3.0.9 and
| 2.14.5 automatically strips Authorization and Proxy-Authorization
| headers and clears Realm credentials whenever a redirect crosses
| origin boundaries (different scheme, host, or port) or downgrades
| from HTTPS to HTTP. For users unable to upgrade, set
| `(stripAuthorizationOnRedirect(true))` in the client config and
| avoid using Realm-based authentication with redirect following
| enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is
| insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm
| bypass still re-generates credentials. Alternatively, disable
| redirect following (`followRedirect(false)`) and handle redirects
| manually with origin validation.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40490
https://www.cve.org/CVERecord?id=CVE-2026-40490
[1] https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g

Regards,
Salvatore