CVE-2026-45300: 
Java Analyse et atténuation des vulnérabilités

CVE-2026-45300 is a sensitive information exposure vulnerability in the AsyncHttpClient (AHC) Java library, where Cookie headers are leaked to cross-origin redirect targets. Affecting the 2.x branch prior to version 2.15.0 and the 3.x branch prior to version 3.0.10, the flaw was published by the maintainer on May 12, 2026, and added to the GitHub Advisory Database on May 18, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (Github Advisory).

The root cause is an incomplete header-stripping implementation in Redirect30xInterceptor.java (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). When the library follows an HTTP redirect across a security boundary — a different origin or an HTTPS-to-HTTP downgrade — the propagatedHeaders() method correctly removes Authorization and Proxy-Authorization headers but omits the Cookie header from the same stripping logic. The stripAuth flag is set to true for cross-origin or scheme-downgrade redirects, but the corresponding code block only called headers.remove(AUTHORIZATION).remove(PROXY_AUTHORIZATION), leaving Cookie intact and forwarding it to the redirect destination, which may be attacker-controlled. The companion test class RedirectCredentialSecurityTest lacked coverage for Cookie stripping, allowing the regression to go undetected (Github Advisory, Patch Commit).

Successful exploitation results in high confidentiality impact with no integrity or availability impact. Sensitive cookie values — including session tokens, CSRF tokens, API keys, and tracking identifiers — are disclosed to attacker-controlled servers when a Java application using the vulnerable AHC library follows a cross-origin redirect. This can enable session hijacking, account impersonation, CSRF token theft, and API key compromise, potentially affecting any user or service whose requests are proxied through the vulnerable library (Github Advisory).

Upgrade AsyncHttpClient to version 2.15.0 (for the 2.x branch) or 3.0.10 (for the 3.x branch), which add COOKIE to the set of headers stripped on cross-origin redirects in propagatedHeaders(). The fix ensures the URI-scoped CookieStore re-adds only cookies that legitimately match the new target after stripping, so legitimate cross-origin sessions are not broken. As an interim workaround where upgrading is not immediately possible, consider applying the SameSite cookie attribute on cookies set by your services to limit cross-origin exposure, and configure the application to disable automatic redirect following where feasible (Github Advisory, AHC v3.0.10 Release, Patch Commit).

The vulnerability was reported by security researcher tndud042713 and patched by maintainer hyperxpro in the same release cycle. The advisory was noted in the CISA vulnerability bulletin for the week of June 1, 2026, and picked up by automated vulnerability tracking feeds including Vulners, VulDB, and CVEFeed. No significant independent researcher commentary or broad media coverage has been identified beyond standard vulnerability database aggregation (Github Advisory).