Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
AnalysisAI
Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
Reactor Netty is a non-blocking, event-driven HTTP networking library built on Project Reactor and the Netty framework, widely used as the default HTTP engine in Spring WebFlux applications. The affected component is the HTTP client's redirect-following logic. CWE-522 (Insufficiently Protected Credentials) describes the root cause class: credentials - most likely Authorization headers or equivalent - are not stripped when the client automatically follows a redirect that downgrades the connection from HTTPS (TLS-protected) to HTTP (plaintext). RFC 9110 guidance mandates that HTTP clients must not forward sensitive headers such as Authorization across protocol-downgrading redirects unless the user explicitly permits it. CPE cpe:2.3:a:spring:reactor_netty:*:*:*:*:*:*:*:* confirms all major version branches of the Spring-maintained Reactor Netty library are affected. The vulnerability is reported by VMware, which is consistent with Spring Framework's organizational home.
RemediationAI
Upgrade to a patched release per the vendor advisory at https://spring.io/security/cve-2026-41715. The exact minimum fixed versions (e.g., the first patch release above each affected range) must be confirmed directly from that advisory, as the input data specifies only affected version ceilings and does not explicitly name fixed release identifiers - do not infer patch versions without verifying. As an immediate compensating control, disable automatic redirect-following in any Reactor Netty HTTP client that does not strictly require it: the vulnerability's own conditions state that the client 'must have been explicitly configured to follow redirects,' so reverting to the default non-redirect-following behavior eliminates the attack surface entirely without requiring an upgrade. If redirect-following cannot be disabled, restrict outbound requests to a known-safe allowlist of HTTPS-only endpoints to prevent HTTPS-to-HTTP downgrade redirects. Note that disabling redirect-following may break application flows that depend on it, requiring additional logic to handle 3xx responses manually.
More in Reactor Netty
View allPivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. Rated h
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a us
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can se
Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be
The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorr
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35322
GHSA-pfc9-2cqg-9wq6