CVE-2026-54148: DigestAuthProvider.verify did not bind to request URI
Severity: HIGH
June 16, 2026
Description#
An issue in DigestAuthProvider.verify: the uri parameter in the client’s Authorization: Digest … response was not checked against the actual request URL. A captured Digest authentication response could be replayed against any other URL served by the same realm, breaking the per-request-URL binding the Digest scheme assumes.
Any application using http4k-security-digest for HTTP Digest authentication is affected. The bug has been present since DigestAuthProvider was introduced (commit 8a52b615b1, 2021).
The fix rejects credentials whose uri parameter does not match the request URL.
Affected http4k modules & versions#
http4k-security-digest- 6.49.0.0 and below
- 5.41.0.0 and below
- 4.50.0.0 and below
Mitigation#
Users of affected versions should upgrade to the corresponding fixed version as below. http4k EE subscribers can access the fixed LTS versions through the dedicated http4k Maven instance. For more details about the http4k EE LTS versions, please contact http4k enterprise support.
| Version | Fixed Version | Availability |
|---|---|---|
| <= 6.49.0.0 | 6.50.0.0 | Community & Enterprise Support |
| <= 5.41.0.0 | 5.42.0.0 | Enterprise Support Only |
| <= 4.50.0.0 | 4.51.0.0 | Enterprise Support Only |
Older, unsupported versions are also affected.
For deployments that cannot upgrade immediately, place Digest auth behind a reverse proxy that pins requests to a single URL.
Resolution timeline#
| Date/time | Notes |
|---|---|
| 2021 | Vulnerability introduced alongside DigestAuthProvider (commit 8a52b615b1) |
| 30/05/2026 | Discovered during the Claude-assisted security review pass; documented as part of combined advisory GHSA-vxxm-wwqh-mh47 |
| 31/05/2026 | Fix released in http4k CE v6.50.0.0 and http4k EE LTS v5.42.0.0 / v4.51.0.0 |
| 10/06/2026 | GitHub declined to assign a CVE under CNA rule 4.2.11 (combined advisory covered two independently fixable vulnerabilities) |
| 11/06/2026 | Advisory split: URI-binding issue moved to its own advisory GHSA-p28p-j94q-pg32 by @s4nchez |
| 11/06/2026 | CVE requested from GitHub |
| 12/06/2026 | CVE-2026-54148 assigned by GitHub |
| 16/06/2026 | Public disclosure |
References
- Full GitHub Advisory: https://github.com/http4k/http4k/security/advisories/GHSA-p28p-j94q-pg32
- NIST CVE Registry: https://nvd.nist.gov/vuln/detail/CVE-2026-54148
