fix(deps): bump httpclient5 to 5.6.1 for CVE-2026-40542 (#17323)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: david-leifker

build.gradle

@@ -68,6 +68,8 @@ buildscript {
   ext.micrometerVersion = '1.15.1'
   ext.vertxVersion = '4.5.24'  // CVE-2026-1002 (e.g. from fabric8 kubernetes-httpclient-vertx)
   ext.nettyVersion = '4.1.132.Final' // align all io.netty modules; CVE-2026-33870
+  // CVE-2026-40542 / GHSA: SCRAM-SHA-256 authentication verification (httpclient5 5.6 → 5.6.1+)
+  ext.httpClient5Version = '5.6.1'
   // Align org.bouncycastle *-jdk18on (bcpkix, bcprov, bcutil); CVE-2026-0636 (bcprov fixed in 1.84+)
   ext.bouncyCastleJdk18onVersion = '1.84'
   // gRPC line version (grpc-netty-shaded bundles its own Netty; inspect META-INF/io.grpc.netty.shaded.io.netty.versions.properties in that jar).
@@ -191,7 +193,7 @@ project.ext.externalDependency = [
     'hibernateCore': 'org.hibernate:hibernate-core:5.2.16.Final',
     // CVE-2025-35036 / GHSA-7v6m-28jr-rg84 (EL in constraint violation messages); Play java-forms pulls 6.1.x otherwise
     'hibernateValidator': 'org.hibernate.validator:hibernate-validator:6.2.5.Final',
-    'httpClient': 'org.apache.httpcomponents.client5:httpclient5:5.4.3',
+    'httpClient': 'org.apache.httpcomponents.client5:httpclient5:' + httpClient5Version,
     'iStackCommons': 'com.sun.istack:istack-commons-runtime:4.0.1',
     // The jacksonBom controls the version of other jackson modules; pin the version once.
     // implementation enforcedPlatform(externalDependency.jacksonBom)
@@ -694,6 +696,7 @@ subprojects {
         implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion")
         implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:$jacksonVersion")
         implementation('com.squareup.okhttp3:okhttp:4.12.0')
+        implementation("org.apache.httpcomponents.client5:httpclient5:${rootProject.ext.httpClient5Version}") // CVE-2026-40542
         implementation(externalDependency.commonsIo)
         implementation(externalDependency.protobuf)
         implementation(externalDependency.xercesImpl) // Xerces CVEs (2 high, 1 medium)

datahub-frontend/gradle.lockfile

@@ -318,9 +318,9 @@ org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,tes
 org.apache.commons:commons-exec:1.3=testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.15.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

datahub-graphql-core/gradle.lockfile

@@ -276,9 +276,9 @@ org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,tes
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,testCompileClasspath
 org.apache.commons:commons-text:1.14.0=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

datahub-upgrade/gradle.lockfile

@@ -395,9 +395,9 @@ org.apache.hadoop:hadoop-mapreduce-client-jobclient:3.4.1=compileClasspath,produ
 org.apache.hadoop:hadoop-yarn-api:3.4.1=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.hadoop:hadoop-yarn-client:3.4.1=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.hadoop:hadoop-yarn-common:3.4.1=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

entity-registry/gradle.lockfile

@@ -223,9 +223,9 @@ org.apache.avro:avro:1.9.2=pegasusPlugin
 org.apache.commons:commons-compress:1.27.1=pegasusPlugin,restClient,restClientCompile,testCompileClasspath,testRestClient,testRuntimeClasspath
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,dataModel,dataTemplate,dataTemplateCompile,pegasusPlugin,restClient,restClientCompile,runtimeClasspath,testCompileClasspath,testDataModel,testDataTemplate,testFixturesCompileClasspath,testFixturesRuntimeClasspath,testRestClient,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,dataModel,dataTemplate,dataTemplateCompile,pegasusPlugin,restClient,restClientCompile,runtimeClasspath,testCompileClasspath,testDataModel,testDataTemplate,testFixturesCompileClasspath,testFixturesRuntimeClasspath,testRestClient,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.3.1=pegasusPlugin,restClient,restClientCompile,testRestClient
 org.apache.httpcomponents:httpclient:4.5.14=testCompileClasspath,testRuntimeClasspath

ingestion-scheduler/gradle.lockfile

@@ -274,9 +274,9 @@ org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,tes
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,testCompileClasspath
 org.apache.commons:commons-text:1.14.0=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

metadata-auth/auth-api/gradle.lockfile

@@ -209,9 +209,9 @@ org.apache.commons:commons-collections4:4.5.0=testCompileClasspath,testRuntimeCl
 org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

metadata-dao-impl/kafka-producer/gradle.lockfile

@@ -272,9 +272,9 @@ org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,tes
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,testCompileClasspath
 org.apache.commons:commons-text:1.14.0=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=runtimeClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=runtimeClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpasyncclient:4.1.5=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.14=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore-nio:4.4.16=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath

metadata-integration/java/acryl-spark-lineage/gradle.lockfile

@@ -212,9 +212,9 @@ org.apache.hive:hive-serde:2.3.9=compileClasspath,provided,runtimeClasspath,test
 org.apache.hive:hive-shims:2.3.9=compileClasspath,provided,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.hive:hive-storage-api:2.7.2=compileClasspath,provided,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.hive:hive-vector-code-gen:2.3.9=compileClasspath,provided,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.13=compileClasspath,provided,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpcore:4.4.13=compileClasspath,provided,testCompileClasspath
 org.apache.httpcomponents:httpcore:4.4.16=runtimeClasspath,testRuntimeClasspath

metadata-integration/java/datahub-client/gradle.lockfile

@@ -108,9 +108,9 @@ org.apache.avro:avro:1.11.5=compileClasspath,runtimeClasspath,testCompileClasspa
 org.apache.commons:commons-compress:1.27.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-lang3:3.18.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.commons:commons-text:1.10.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.client5:httpclient5:5.4.3=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5-h2:5.3.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-org.apache.httpcomponents.core5:httpcore5:5.3.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.client5:httpclient5:5.6.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5-h2:5.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
+org.apache.httpcomponents.core5:httpcore5:5.4=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.13=runtimeClasspath,testRuntimeClasspath
 org.apache.httpcomponents:httpclient:4.5.2=testCompileClasspath
 org.apache.httpcomponents:httpcore:4.4.16=runtimeClasspath,testRuntimeClasspath