What is CVE-2026-40490?

CVE-2026-40490 is a medium-severity vulnerability in Asynchttpclient Async-http-client, classified under Information Disclosure. CVSS score: 6.8/10. Published 2026-04-18.

How severe is CVE-2026-40490?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Information disclosure in Asynchttpclient Async-http-client

CVE-2026-40490

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and…

Vulnerability class: Information Disclosure

EPSS: 0.001 (21.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N.

Affected products

Asynchttpclient Async-http-client — versions >= 3.0.0.Beta1, < 3.0.9, < 2.14.5

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g (x_refsource_CONFIRM)
https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8 (x_refsource_MISC)
https://github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae (x_refsource_MISC)
https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5 (x_refsource_MISC)
https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40490?: CVE-2026-40490 is a medium-severity vulnerability in Asynchttpclient Async-http-client, classified under Information Disclosure. CVSS score: 6.8/10. Published 2026-04-18.
How severe is CVE-2026-40490?: Medium severity. CVSS v3 base score is 6.8 out of 10.