{ "threat_severity" : "Important", "public_date" : "2026-04-22T07:07:21Z", "bugzilla" : { "description" : "httpclient: Apache HttpClient: Authentication bypass due to missing mutual authentication verification", "id" : "2460518", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460518" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "draft" }, "cwe" : "CWE-325", "details" : [ "A flaw was found in Apache HttpClient. This vulnerability allows a remote attacker to bypass a critical step in the SCRAM-SHA-256 authentication process. By exploiting this, an attacker can trick the client into accepting authentication without proper mutual verification, potentially compromising the confidentiality and integrity of data." ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Not affected", "package_name" : "mta/mta-cli-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "Migration Toolkit for Applications 8", "fix_state" : "Not affected", "package_name" : "mta/mta-java-external-provider-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Certificate System 10", "fix_state" : "Not affected", "package_name" : "redhat-pki:10/redhat-pki", "cpe" : "cpe:/a:redhat:certificate_system:10" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "dogtag-pki", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "mod_proxy_cluster", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "maven-changes-plugin", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "maven-doxia", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "javapackages-tools:201801/httpcomponents-client", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "javapackages-tools:201801/maven-doxia", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "javapackages-tools:201801/maven-resolver", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "javapackages-tools:201801/maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-core:10.6/resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "jmc", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven:3.9/httpcomponents-client", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven:3.9/maven", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven:3.9/maven-resolver", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven:3.9/maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven-resolver", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "mod_proxy_cluster", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "pki-core", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "httpclient-osgi", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "httpclient-win", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Not affected", "package_name" : "jbcs-httpd24-mod_cluster-native", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Not affected", "package_name" : "jbcs-httpd24-mod_proxy_cluster", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "httpclient-osgi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "httpclient-win", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "httpclient-osgi", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "httpclient-win", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "httpclient-cache", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "httpclient-osgi", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "httpclient-win", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "jws5-mod_cluster", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Lightspeed for Runtimes Operator", "fix_state" : "Not affected", "package_name" : "rh-lightspeed-runtimes/runtimes-agent-init-rhel9", "cpe" : "cpe:/a:redhat:lightspeed_for_runtimes:1" }, { "product_name" : "Red Hat Offline Knowledge Portal", "fix_state" : "Not affected", "package_name" : "offline-knowledge-portal/rhokp-rhel9", "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-trustyai-service-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-trustyai-service-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/openvsx-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "openvox-server", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite:el8/puppetserver", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "httpclient", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40542\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40542\nhttps://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97" ], "name" : "CVE-2026-40542", "csaw" : false }