CVE-2026-40175 is a security flaw that involves a specific "gadget" attack chain combining JavaScript Prototype Pollution with HTTP Header Injection in the popular Axios HTTP client library.

Clarity PPM is not vulnerable to CVE-2026-40175. The fundamental reason comes down to an entirely different underlying technology stack: Clarity PPM is a Java-based enterprise application, whereas this vulnerability strictly targets JavaScript/Node.js runtime environments that utilize the Axios library for server-side outbound requests.

Why Clarity PPM is Not Vulnerable

• Clarity PPM is built on a robust Java / J2EE enterprise framework. Its server-side logic executes inside Java Virtual Machines (JVMs) hosted on application servers like Apache Tomcat. Because CVE-2026-40175 targets the Axios library—which is unique to the JavaScript ecosystem—it has no footprint or execution capability within Clarity's Java-based backend architecture.
• The exploit relies heavily on a "gadget chain" that begins with Prototype Pollution.  Prototype Pollution is a flaw unique to JavaScript due to its prototypal inheritance design, where an attacker can alter the behavior of all objects globally by modifying Object.prototype.
• Java uses a strict, class-based object model. Objects in Java cannot have their structural prototypes dynamically or globally mutated at runtime by unprivileged input. Without the ability to pollute an object prototype, the prerequisite vector required to pass malicious headers to an HTTP client does not exist.

• When Clarity PPM handles integrations, data warehouse jobs, or outbound web service calls (via XOG, GEL scripting, or REST/SOAP plugins), it utilizes Java-native networking libraries or enterprise Java HTTP clients (such as Apache HttpClient or Java's native HttpURLConnection). It does not run a server-side Node.js engine or rely on Axios to process outbound server-to-server traffic.

Clarity 16.4.1 and below

With Clarity 16.4.2, the Axios library has been upgraded.
Please refer to the Third-Party Software Agreements - TPSR