diff --git a/build.gradle b/build.gradle
index 43d3040ee6..6317a82efd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -245,6 +245,8 @@ allprojects {
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpcore:${httpcoreVersion}"
force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}"
+ // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3)
+ force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}"
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpclient:${httpclientVersion}"
force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}"
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 36cd5c494d..83a4d7b1eb 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -328,14 +328,14 @@
CVE-2026-53914
+ CVE-2026-54399 (httpcore5 HTTP/1.1 parser) and CVE-2026-54428 (httpcore5-h2 HTTP/2 HPACK decoder) are both scoped to Apache HttpComponents Core 5.x only. The classic httpcore 4.x line (org.apache.httpcomponents:httpcore) is EOL, has no HTTP/2 module, is not listed as affected, and has no fixed 4.4.x release. False positives for the 4.x artifact. -->
^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$
CVE-2026-54399
+ CVE-2026-54428