CVE-2026-40542
Published: 22 April 2026
Summary
CVE-2026-40542 is a high-severity Missing Critical Step in Authentication (CWE-304) vulnerability in Apache Httpclient. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-40542 by requiring timely identification, prioritization, and remediation of the authentication flaw through upgrading Apache HttpClient to version 5.6.1.
Enables proactive discovery of systems running the vulnerable Apache HttpClient 5.6 via vulnerability scanning, facilitating targeted remediation of the missing mutual authentication verification.
Provides mechanisms to ensure communications session authenticity, countering the risk of the client accepting SCRAM-SHA-256 authentication without proper mutual verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing mutual authentication verification in SCRAM-SHA-256 allows bypassing server proof checks, directly facilitating successful Adversary-in-the-Middle attacks by accepting forged credentials.
NVD Description
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Deeper analysisAI
CVE-2026-40542 affects Apache HttpClient version 5.6, where a missing critical step in authentication allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Published on 2026-04-22, this vulnerability is tracked under CWE-304 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.
A remote, unauthenticated attacker can exploit this over the network without requiring user interaction or privileges. By manipulating the authentication process, the attacker can trick the client into accepting SCRAM-SHA-256 credentials lacking mutual verification, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as unauthorized acceptance of potentially forged authentication.
Apache advisories recommend upgrading to version 5.6.1, which fixes the issue by restoring proper mutual authentication verification. Additional details are provided in the Apache mailing list thread at https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97 and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/04/22/5.
Details
- CWE(s)