diff --git a/build.gradle b/build.gradle
index 8c7c36b0ed..92e9976b6d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -248,6 +248,8 @@ allprojects {
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpcore:${httpcoreVersion}"
force "org.apache.httpcomponents.core5:httpcore5:${httpcore5Version}"
+ // align httpcore5-h2 with httpcore5; the transitive 5.3.6 is exposed to CVE-2026-54399/CVE-2026-54428 (fixed in 5.4.3)
+ force "org.apache.httpcomponents.core5:httpcore5-h2:${httpcore5Version}"
// force version for cloud, docker, fileTransfer, googledrive, tcrb, wnprc_ehr
force "org.apache.httpcomponents:httpclient:${httpclientVersion}"
force "org.apache.httpcomponents.client5:httpclient5:${httpclient5Version}"
diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml
index 4c5e10925c..cc31a5443f 100644
--- a/dependencyCheckSuppression.xml
+++ b/dependencyCheckSuppression.xml
@@ -438,14 +438,15 @@
CVE-2025-15104
^pkg:maven/org\.apache\.httpcomponents/httpcore@.*$
CVE-2026-54399
+ CVE-2026-54428