Following the successful authentication step HttpURLConnection preemptively sends a cached Authorization string. This attempt causes a security vulnerability since HttpURLConnection inserts this string into the HTTP header for all subsequent fetches to the host:port. This exposes the Authorization string to all paths even those that are not under the Realm the client authenticated to.