CVE-2026-55688
Received Received - Intake

AsyncHttpClient Cookie Injection via Domain Spoofing

Vulnerability report for CVE-2026-55688, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without verifying that the responding host is allowed to set a cookie for that domain, leading to a cookie tossing / cookie injection issue. A host the client connects to can therefore plant a cookie scoped to an unrelated domain, and the client will then send that cookie on later requests to that domain. Applications that use a single AsyncHttpClient instance - and thus the default, shared CookieStore - to reach both an attacker-influenced host and a trusted host are impacted. This issue has been fixed in versions 2.16.0 and 3.0.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
asynchttpclient async_http_client to 2.16.0 (exc)
asynchttpclient async_http_client to 3.0.11 (exc)
async_http_client async_http_client to 2.16.0 (exc)
async_http_client async_http_client to 3.0.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker-controlled host to plant cookies scoped to unrelated domains, potentially leading to session fixation or overwriting of session IDs or CSRF tokens. This could undermine the integrity of user sessions and data handling.

While the attacker cannot read cookies from the victim host, the injection of cookies may increase the risk of unauthorized actions or data manipulation, which could impact compliance with standards that require strict session management and data integrity, such as GDPR and HIPAA.

Applications using a single AsyncHttpClient instance with a shared CookieStore to access both untrusted and trusted hosts are vulnerable, potentially exposing sensitive data or user sessions to manipulation.

Mitigations include upgrading to patched versions, disabling the cookie store, or using separate AsyncHttpClient instances per trust domain to maintain compliance with security best practices required by these regulations.

Executive Summary

The vulnerability in AsyncHttpClient affects the ThreadSafeCookieStore component, which stores cookies based on their Domain attribute without verifying if the responding host is authorized to set cookies for that domain. This flaw allows an attacker-controlled host to plant cookies scoped to unrelated domains, a technique known as cookie tossing or cookie injection.

As a result, the client may send these attacker-planted cookies on subsequent requests to the unrelated domain, potentially leading to session fixation or overwriting of session IDs or CSRF tokens. However, the attacker cannot read cookies from the victim host.

This issue affects AsyncHttpClient versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, and is fixed in versions 2.16.0 and 3.0.11.

Impact Analysis

This vulnerability can impact applications that use a single AsyncHttpClient instance with a shared CookieStore to access both attacker-influenced and trusted hosts.

  • An attacker can plant cookies for unrelated domains, causing the client to send these cookies on later requests to trusted domains.
  • This can lead to session fixation attacks or overwriting of session identifiers or CSRF tokens, potentially compromising user sessions.
  • The attacker cannot read cookies from the victim host, limiting the scope to integrity issues rather than confidentiality.

Applications that isolate cookie stores per trust domain or use fixed trusted backends are not affected.

Detection Guidance

This vulnerability involves the AsyncHttpClient library improperly storing cookies for domains without verifying the responding host's authorization, leading to cookie tossing or injection.

To detect this vulnerability on your system or network, you can monitor HTTP traffic for suspicious Set-Cookie headers where cookies are set for domains unrelated to the responding host.

Commands to help detect this include using network traffic capture tools like tcpdump or Wireshark to filter HTTP responses with Set-Cookie headers, for example:

  • tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Set-Cookie'
  • Using Wireshark, apply a display filter: http.set_cookie

Look for Set-Cookie headers where the Domain attribute does not match the responding host domain, which indicates potential exploitation of this vulnerability.

Additionally, review your application logs or debugging output for usage of AsyncHttpClient versions between 2.0.0 and 2.15.9 or 3.0.0.Beta1 and 3.0.10, as these versions are vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading AsyncHttpClient to a fixed version: 2.16.0 or later, or 3.0.11 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, consider disabling the shared CookieStore or using separate AsyncHttpClient instances for different trust domains to avoid cookie injection across domains.

These workarounds prevent an attacker-controlled host from planting cookies scoped to unrelated domains.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart