{"schema_version": "1.6.1", "id": "CVE-2026-40542", "summary": "SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification", "details": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "5.6"}, {"fixed": "5.6.1"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97"}]}