Main Vulnerability Database SB2026051366

SB2026051366 - Information disclosure in Async-http-client

Published: May 13, 2026

Security Bulletin ID SB2026051366

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2026-45300)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in Redirect30xInterceptor.java when following a cross-origin redirect or an HTTPS-to-HTTP downgrade. A remote attacker can trigger a redirect to an attacker-controlled target to disclose sensitive information.

User interaction is required to initiate the request that follows the redirect.

Remediation

Install update from vendor's website.

References

https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e