Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN415
_____________________________________________________________________

DATE                : 23/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HttpClient versions prior
                                         to 5.6.1.

=====================================================================
https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
_____________________________________________________________________

[SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual
authentication bypass

Severity: important

Affected versions:

   - Apache HttpClient 5.6

Description:
A missing critical step in authentication in Apache HttpClient 5.6 may
allow an attacker to cause the client to accept SCRAM-SHA-256
authentication without proper mutual authentication verification.


Users are recommended to upgrade to Apache HttpClient 5.6.1. which
corrects this issue.

Credit:
This issue was reported by Rasmus Moorats.


References:
https://hc.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40542

https://github.com/apache/httpcomponents-client/commit/726eac2323d370435d8afca1e0540aa099927f18


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================