CVE-2026-45300EPSS p17.7%

CVE-2026-45300CVE-2026-45300

asynchttpclient_project / async-http-client

Description

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Scoring

CVSS 7.4 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS0.27% probability of exploitation · percentile 17.7% · 2026-06-18T12:00:27Z
Last modified2026-06-08

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47265
CVE
CVE-2026-41715
CVE
CVE-2026-34993
CVE
CVE-2026-34356
CVE
CVE-2026-1502
CVE
CVE-2026-32913
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.