{"id":"CVE-2026-45300","summary":"async-http-client: Cookie header not stripped on cross-origin redirect","details":"The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.","aliases":["GHSA-fmxf-pm6p-7xgm"],"modified":"2026-07-15T01:49:05.061260232Z","published":"2026-06-05T19:32:43.547Z","related":["CGA-f637-mjqx-fv22"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45300.json"},"references":[{"type":"WEB","url":"https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10"},{"type":"ADVISORY","url":"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45300.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45300"},{"type":"FIX","url":"https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asynchttpclient/async-http-client","events":[{"introduced":"b60e5a0d7d989e4a24c13e03ba786c375b727448"},{"fixed":"9e52c0ca7cc10d8d19fc77a460e6e016f14a90d9"},{"introduced":"9a771c7b40e716ca77a3cad691545b29ff64bfd3"},{"fixed":"c910fe0af30c44228296bd080404c0e595d8a8ae"},{"fixed":"3b0e3e9e"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"2.0.0"},{"fixed":"2.15.0"},{"introduced":"3.0.0"},{"fixed":"3.0.10"}]}}],"versions":["async-http-client-project-3.0.9","async-http-client-project-2.14.5","async-http-client-project-2.12.4","async-http-client-project-3.0.8","async-http-client-project-3.0.7","async-http-client-project-3.0.6","async-http-client-project-3.0.5","async-http-client-project-3.0.4","async-http-client-project-3.0.3","async-http-client-project-3.0.2","async-http-client-project-2.12.3","async-http-client-project-3.0.1","async-http-client-project-3.0.0","async-http-client-project-2.12.2","async-http-client-project-2.12.1","async-http-client-project-2.12.0","async-http-client-project-2.11.0","async-http-client-project-2.10.5","async-http-client-project-2.10.4","async-http-client-project-2.10.3","async-http-client-project-2.10.2","async-http-client-project-2.10.1","async-http-client-project-2.10.0","async-http-client-project-2.9.0","async-http-client-project-2.8.1","async-http-client-project-2.8.0","async-http-client-project-2.7.0","async-http-client-project-2.6.0","async-http-client-project-2.5.4","async-http-client-project-2.5.3","async-http-client-project-2.5.2","async-http-client-project-2.5.1","async-http-client-project-2.5.0","async-http-client-project-2.4.9","async-http-client-project-2.4.8","async-http-client-project-2.4.7","async-http-client-project-2.4.6","async-http-client-project-2.4.5","async-http-client-project-2.4.4","async-http-client-project-2.4.3","async-http-client-project-2.4.2","async-http-client-project-2.4.1","async-http-client-project-2.4.0","async-http-client-project-2.3.0","async-http-client-project-2.2.1","async-http-client-project-2.2.0","async-http-client-project-2.1.2","async-http-client-project-2.1.1","async-http-client-project-2.1.0","async-http-client-project-2.1.0-RC4","async-http-client-project-2.1.0-RC3","async-http-client-project-2.1.0-RC2","async-http-client-project-2.1.0-RC1","async-http-client-project-2.1.0-alpha26","async-http-client-project-2.1.0-alpha25","async-http-client-project-2.1.0-alpha24","async-http-client-project-2.1.0-alpha23","async-http-client-project-2.1.0-alpha22","async-http-client-project-2.1.0-alpha21","async-http-client-project-2.1.0-alpha20","async-http-client-project-2.1.0-alpha19","async-http-client-project-2.1.0-alpha18","async-http-client-project-2.1.0-alpha17","async-http-client-project-2.1.0-alpha16","async-http-client-project-2.1.0-alpha15","async-http-client-project-2.1.0-alpha14","async-http-client-project-2.1.0-alpha13","async-http-client-project-2.1.0-alpha12","async-http-client-project-2.1.0-alpha11","async-http-client-project-2.1.0-alpha10","async-http-client-project-2.1.0-alpha9","async-http-client-project-2.1.0-alpha8","async-http-client-project-2.1.0-alpha7","async-http-client-project-2.1.0-alpha6","async-http-client-project-2.1.0-alpha5","async-http-client-project-2.1.0-alpha4","async-http-client-project-2.1.0-alpha3","async-http-client-project-2.1.0-alpha2","async-http-client-project-2.0.24","async-http-client-project-2.0.23","async-http-client-project-2.0.22","async-http-client-project-2.0.21","async-http-client-project-2.0.20","async-http-client-project-2.0.19","async-http-client-project-2.0.18","async-http-client-project-2.0.17","async-http-client-project-2.0.16","async-http-client-project-2.0.15","async-http-client-project-2.0.14","async-http-client-project-2.0.13","async-http-client-project-2.0.12","async-http-client-project-2.0.11","async-http-client-project-2.0.10","async-http-client-project-2.0.9","async-http-client-project-2.0.8","async-http-client-project-2.0.7","async-http-client-project-2.0.6","async-http-client-project-2.0.5","async-http-client-project-2.0.4","async-http-client-project-2.0.3","async-http-client-project-2.0.2","async-http-client-project-2.0.1","async-http-client-project-2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45300.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"}]}