Skip to main content

Reactor Netty EUVDEUVD-2026-35322

| CVE-2026-41715 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-06-09 vmware GHSA-pfc9-2cqg-9wq6
6.1
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:27 vuln.today
CVE Published
Jun 09, 2026 - 03:48 nvd
MEDIUM 6.1

DescriptionCVE.org

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

AnalysisAI

Credential leakage in the Reactor Netty HTTP client exposes authentication material when following redirects that cross security boundaries from HTTPS to HTTP. Affected are all four supported release lines: 1.0.x through 1.0.51, 1.1.x through 1.1.35, 1.2.x through 1.2.17, and 1.3.x through 1.3.5. An attacker who controls or can influence a redirect response can cause the client to transmit credentials over an unencrypted channel, where they may be intercepted. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

Reactor Netty is a non-blocking, event-driven HTTP networking library built on Project Reactor and the Netty framework, widely used as the default HTTP engine in Spring WebFlux applications. The affected component is the HTTP client's redirect-following logic. CWE-522 (Insufficiently Protected Credentials) describes the root cause class: credentials - most likely Authorization headers or equivalent - are not stripped when the client automatically follows a redirect that downgrades the connection from HTTPS (TLS-protected) to HTTP (plaintext). RFC 9110 guidance mandates that HTTP clients must not forward sensitive headers such as Authorization across protocol-downgrading redirects unless the user explicitly permits it. CPE cpe:2.3:a:spring:reactor_netty:*:*:*:*:*:*:*:* confirms all major version branches of the Spring-maintained Reactor Netty library are affected. The vulnerability is reported by VMware, which is consistent with Spring Framework's organizational home.

RemediationAI

Upgrade to a patched release per the vendor advisory at https://spring.io/security/cve-2026-41715. The exact minimum fixed versions (e.g., the first patch release above each affected range) must be confirmed directly from that advisory, as the input data specifies only affected version ceilings and does not explicitly name fixed release identifiers - do not infer patch versions without verifying. As an immediate compensating control, disable automatic redirect-following in any Reactor Netty HTTP client that does not strictly require it: the vulnerability's own conditions state that the client 'must have been explicitly configured to follow redirects,' so reverting to the default non-redirect-following behavior eliminates the attack surface entirely without requiring an upgrade. If redirect-following cannot be disabled, restrict outbound requests to a known-safe allowlist of HTTPS-only endpoints to prevent HTTPS-to-HTTP downgrade redirects. Note that disabling redirect-following may break application flows that depend on it, requiring additional logic to handle 3xx responses manually.

Vendor StatusVendor

Share

EUVD-2026-35322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy