Severity: important Affected versions:
- Apache HttpClient 5.6 Description: A missing critical step in authentication in Apache HttpClient 5.6 may allow an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to Apache HttpClient 5.6.1. which corrects this issue. Credit: This issue was reported by Rasmus Moorats. References: https://hc.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-40542 https://github.com/apache/httpcomponents-client/commit/726eac2323d370435d8afca1e0540aa099927f18 Arturo
