PT-2026-54858 · Unknown · Async Http Client

Hyperxpro

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-55688

CVSS v3.1

4.0

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions AsyncHttpClient versions 2.0.0 through 2.15.9 AsyncHttpClient versions 3.0.0.Beta1 through 3.0.10
Description The ThreadSafeCookieStore component fails to verify if a responding host is authorized to set a cookie for a specific domain before storing it under that domain's attribute. This leads to cookie tossing or cookie injection, where a host connected to by the client can plant a cookie scoped to an unrelated domain. Consequently, the client will send this injected cookie in subsequent requests to that unrelated domain. This affects applications using a single, shared CookieStore instance to communicate with both a trusted host and a host influenced by an attacker.
Recommendations Update AsyncHttpClient to version 2.16.0. Update AsyncHttpClient to version 3.0.11.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55688
GHSA-M452-Q8C9-RG2F

Affected Products

Async Http Client