CVE-2026-45300
Analyzed Analyzed - Analysis Complete
Cookie Header Leak in AsyncHttpClient

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-45300
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
asynchttpclient_project async-http-client From 2.0.0 (inc) to 2.15.0 (exc)
asynchttpclient_project async-http-client From 3.0.0 (inc) to 3.0.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45300 is a vulnerability in the AsyncHttpClient (AHC) library where Cookie headers are not properly stripped when following cross-origin redirects.

Specifically, when the library follows a redirect to a different origin, the method responsible for propagating headers removes Authorization and Proxy-Authorization headers but fails to remove the Cookie header.

This causes session cookies and other sensitive cookie values to be sent to potentially attacker-controlled servers.

Impact Analysis

This vulnerability can lead to the leakage of sensitive session cookies, CSRF tokens, and API keys to attacker-controlled redirect targets.

As a result, attackers may hijack user sessions, steal CSRF tokens, expose API keys, and violate user privacy.

Detection Guidance

This vulnerability involves the leakage of Cookie headers during cross-origin HTTP redirects in affected AsyncHttpClient versions. Detection would involve monitoring HTTP traffic for unexpected Cookie headers being sent to different origins, especially to attacker-controlled domains.

You can detect potential exploitation by capturing and analyzing HTTP redirect traffic from Java applications using AsyncHttpClient versions prior to the patched releases. Look for HTTP requests following redirects where Cookie headers are included despite a change in origin.

Suggested commands to monitor such behavior include using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic with Cookie headers sent to different domains.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Cookie:'
  • Use Wireshark with a display filter: http.cookie and check for requests where the Host header differs from the original domain.

Additionally, reviewing application logs for HTTP redirect responses and subsequent requests that include Cookie headers to different origins can help identify the issue.

Mitigation Strategies

The primary mitigation step is to upgrade the AsyncHttpClient library to a patched version where this vulnerability is fixed.

  • Upgrade to version 2.15.0 or later if you are using the 2.x branch.
  • Upgrade to version 3.0.10 or later if you are using the 3.x branch.

These versions include a fix that strips Cookie headers during cross-origin redirects, preventing sensitive cookie leakage.

Until the upgrade can be applied, consider implementing network-level controls to monitor and block suspicious cross-origin HTTP redirects that carry Cookie headers.

Review application configurations to limit or disable automatic following of redirects where possible, or implement custom redirect handling that strips sensitive headers.

Compliance Impact

The vulnerability in AsyncHttpClient causes sensitive session cookies, CSRF tokens, and API keys to be leaked to potentially attacker-controlled redirect targets. This leakage can lead to session hijacking, CSRF token theft, API key exposure, and privacy violations.

Such exposure of sensitive authentication and session data can result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart