CVE-2026-40490
Authorization Header Leakage via Cross-Domain Redirects in AsyncHttpClient
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| async_http_client | async_http_client | to 2.14.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the AsyncHttpClient (AHC) library versions prior to 3.0.9 and 2.14.5 when redirect following is enabled. In these versions, Authorization and Proxy-Authorization headers along with Realm credentials are forwarded to redirect targets regardless of changes in domain, scheme, or port. This causes sensitive credentials to be leaked on cross-domain redirects and HTTPS-to-HTTP downgrades.
Even if the configuration option stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still sent to the redirect request, which can regenerate credentials for Basic and Digest authentication schemes. An attacker controlling the redirect target can capture these credentials, including Bearer tokens and Basic auth credentials.
The issue is fixed in versions 3.0.9 and 2.14.5, which automatically strip Authorization headers and clear Realm credentials when redirects cross origin boundaries or downgrade from HTTPS to HTTP.
How can this vulnerability impact me? :
This vulnerability can lead to the leakage of sensitive authentication credentials such as Bearer tokens, Basic authentication credentials, or other Authorization header values to malicious redirect targets.
An attacker who controls a redirect target through methods like open redirect, DNS rebinding, or man-in-the-middle attacks on HTTP connections can capture these credentials.
This credential leakage can result in unauthorized access to protected resources or services, potentially compromising the security of your application or user data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade AsyncHttpClient to version 3.0.9 or 2.14.5 or later, where the issue is fixed.
If upgrading is not possible, configure the client with stripAuthorizationOnRedirect(true) and avoid using Realm-based authentication with redirect following enabled.
Alternatively, disable redirect following by setting followRedirect(false) and handle redirects manually with origin validation to prevent credential leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes the leakage of sensitive credentials such as Authorization and Proxy-Authorization headers, including Bearer tokens and Basic authentication credentials, to arbitrary redirect targets across different domains, schemes, or ports. Such unauthorized disclosure of sensitive authentication information can lead to data breaches and unauthorized access.
Because GDPR, HIPAA, and similar regulations require the protection of personal and sensitive data, including authentication credentials, this vulnerability could result in non-compliance due to the exposure of confidential information. Organizations using vulnerable versions of AsyncHttpClient without proper mitigation risk violating these standards by failing to adequately protect user credentials.
Mitigations include upgrading to fixed versions (3.0.9 and 2.14.5 or later), configuring the client to strip authorization headers on redirects, or disabling automatic redirect following to prevent credential leakage and maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the leakage of Authorization and Proxy-Authorization headers during HTTP redirects in vulnerable versions of AsyncHttpClient. Detection can focus on monitoring HTTP traffic for unexpected forwarding of these headers to different domains, schemes, or ports.
To detect this on your network or system, you can capture and inspect HTTP requests and responses, especially those involving redirects, to see if Authorization headers are being sent to unintended destinations.
- Use network packet capture tools like tcpdump or Wireshark to monitor HTTP traffic and filter for Authorization headers.
- Example tcpdump command to capture HTTP traffic containing Authorization headers: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i Authorization
- Use application-level logging or debugging to trace AsyncHttpClient requests and verify if Authorization headers are forwarded on redirects.
- Check your AsyncHttpClient configuration to see if followRedirect(true) is enabled without the appropriate fixes or settings.
Note that no specific detection commands are provided in the available information, so these suggestions are based on the nature of the vulnerability and common network monitoring practices.