QSearchQSearch

CVE-2026-45300

7.4 HIGH

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses

Published: 2026-06-05 · Last updated: 2026-06-08

Severity and scoring

CVSS
7.4 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE
CWE-200

Affected products

VendorProduct
asynchttpclient_projectasync-http-client

Description

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-47177 Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
  • CVE-2026-47176 Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
  • CVE-2026-44486 Axios is a promise based HTTP client for the browser and Node.js (7.5 HIGH)
  • CVE-2026-53912 Cerebrate before version 1.37 exposed credential material from self-registration requests
  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)