CVE-2026-45300

Name of the Vulnerable Software and Affected Versions async-http-client versions prior to 2.15.0 async-http-client versions prior to 3.0.10

Description An information disclosure issue exists where Cookie headers are leaked to cross-origin redirect targets. When following a redirect across a security boundary, such as a different origin or an HTTPS to HTTP downgrade, the propagatedHeaders() function in Redirect30xInterceptor.java fails to strip Cookie headers. While Authorization and Proxy-Authorization headers are removed, session cookies and other sensitive values are forwarded to the redirect target, which could be attacker-controlled. This can lead to session hijacking, CSRF token theft, API key theft, and privacy leaks.

Recommendations Update to version 2.15.0 or later. Update to version 3.0.10 or later.