Missing Critical Step in Authentication

CVE-2026-40542

High

7.3/10

Summary

Missing critical step in authentication in Apache HttpClient from 5.6-alpha1 prior to 5.6.1 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-304 - Missing Critical Step in Authentication

The software implements an authentication technique, but it skips a step that weakens the technique.

References

Advisory
Mail Thread

Advisory Timeline

Published Apr 22, 2026

Missing Critical Step in Authentication

CVE-2026-40542

Summary

CWE-304 - Missing Critical Step in Authentication

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS