- Product: Apache Software Foundation Apache HttpComponents Core
- Vulnerabilities: 2 flaws (CVE-2026-54428, CVE-2026-54399)
- Highest severity: 7.5 (High · CVSSv3)
- Worst impact: HPackDecoder Unlimited Header List Size Before SETTINGS ACK
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-54428 | 7.5 | CWE-400 | Not exploited |
| CVE-2026-54399 | 7.5 | CWE-400 | Not exploited |
TL;DR
The Apache Software Foundation has disclosed two Apache HttpComponents Core vulnerabilities, CVE-2026-54399 and CVE-2026-54428. Both carry an Important severity rating and allow remote denial-of-service attacks through memory exhaustion. No exploitation in the wild or public proof-of-concept has been confirmed.
Why It Matters
HttpComponents Core provides the low-level HTTP engine behind Apache HttpClient and many Java services. Consequently, a memory exhaustion flaw in this library can crash applications far beyond the Apache ecosystem. Neither bug requires authentication, so any exposed endpoint becomes a target. Moreover, attackers favor this class of flaw because a cheap request stream can exhaust server memory.
How the Attacks Work
CVE-2026-54399: Unbounded HTTP/1.1 Headers
The HTTP/1.1 message parser sets no limit on header count or header length in its default configuration. As a result, an attacker can send messages with an excessive number of headers or oversized header lines. The parser keeps allocating memory until the process exhausts it.
CVE-2026-54428: HPACK Decoding Before SETTINGS ACK
The HTTP/2 HPACK decoder enforces its header list size limit only after the SETTINGS acknowledgement arrives. Therefore, an attacker can push oversized compressed header blocks before that handshake step completes. The decoder allocates resources without throttling and triggers the same memory exhaustion outcome.
Affected Versions
CVE-2026-54399 affects the httpcore5 module in versions 5.4.2 and earlier, plus 5.5-beta1. Likewise, CVE-2026-54428 affects the httpcore5-h2 module across the same releases. Teams should verify their exact dependency versions, since older 5.x builds fall in scope as well.
Patch and Mitigation Steps
Developers can resolve both Apache HttpComponents Core vulnerabilities by moving past the affected releases. Fixed builds are available on the official Apache HttpComponents download page. Teams should also audit dependency trees, because build tools often pull httpcore5 in transitively. As defense in depth, operators can enforce strict header limits at a reverse proxy in front of exposed services.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.