CVE-2026-54147: DigestAuthProvider.verify ignored configured algorithm
Severity: MODERATE
June 16, 2026
Description#
An issue in DigestAuthProvider.verify: the configured algorithm parameter was silently ignored - every verification used MD5 regardless of configuration. Deployments believing they were running SHA-256 Digest auth were silently inheriting MD5’s collision weaknesses, including documented attack paths against Digest schemes that rely on the hash being collision-resistant.
Any application using http4k-security-digest for HTTP Digest authentication is affected. The bug has been present since DigestAuthProvider was introduced (commit 8a52b615b1, 2021).
The fix hashes with the configured algorithm instead of hardcoded MD5.
Affected http4k modules & versions#
http4k-security-digest- 6.49.0.0 and below
- 5.41.0.0 and below
- 4.50.0.0 and below
Mitigation#
Users of affected versions should upgrade to the corresponding fixed version as below. http4k EE subscribers can access the fixed LTS versions through the dedicated http4k Maven instance. For more details about the http4k EE LTS versions, please contact http4k enterprise support.
| Version | Fixed Version | Availability |
|---|---|---|
| <= 6.49.0.0 | 6.50.0.0 | Community & Enterprise Support |
| <= 5.41.0.0 | 5.42.0.0 | Enterprise Support Only |
| <= 4.50.0.0 | 4.51.0.0 | Enterprise Support Only |
Older, unsupported versions are also affected.
For deployments that cannot upgrade immediately, do not rely on the configured algorithm; assume MD5 is in use and treat the Digest credentials as low-trust.
Resolution timeline#
| Date/time | Notes |
|---|---|
| 11/07/2021 | Vulnerability introduced alongside DigestAuthProvider (commit 8a52b615b1) |
| 30/05/2026 | Discovered during the Claude-assisted security review pass |
| 31/05/2026 | Fix released in http4k CE v6.50.0.0 and http4k EE LTS v5.42.0.0 / v4.51.0.0 |
| 01/06/2026 | Advisory GHSA-vxxm-wwqh-mh47 opened on GitHub by @daviddenton, initially covering both algorithm and URI-binding |
| 01/06/2026 | CVE requested from GitHub |
| 10/06/2026 | CVE re-requested from GitHub |
| 10/06/2026 | GitHub declined to assign a CVE under CNA rule 4.2.11 (combined advisory covered two independently fixable vulnerabilities) |
| 11/06/2026 | Advisory restricted to the algorithm issue; URI-binding issue split out as GHSA-p28p-j94q-pg32 (CVE-2026-54148) |
| 11/06/2026 | CVE re-requested from GitHub for the algorithm-only advisory |
| 12/06/2026 | CVE-2026-54147 assigned by GitHub |
| 16/06/2026 | Public disclosure |
References
- Full GitHub Advisory: https://github.com/http4k/http4k/security/advisories/GHSA-vxxm-wwqh-mh47
- NIST CVE Registry: https://nvd.nist.gov/vuln/detail/CVE-2026-54147
