Skip to main content

Spring Security EUVD-2026-35896

| CVE-2026-41706 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-10 security@vmware.com GHSA-x2r2-rvhq-2mqv
Open Redirect Java
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:41 vuln.today

DescriptionNVD

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target.

Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

AnalysisAI

Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redirect authenticated users to arbitrary external URLs immediately after a successful login. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive/WebFlux stack) store the full pre-authentication URL in a browser cookie and use it without origin validation as the post-login Location target, making this exploitable via a socially engineered link. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL pointing to victim app login with external redirect cookie value
Delivery
Deliver link to victim via phishing or malicious web page
Exploit
Victim navigates to login page and authenticates successfully
Execution
CookieRequestCache reads unvalidated cookie URL and issues redirect
Persist
Victim's browser follows Location header to attacker-controlled domain
Impact
Attacker harvests credentials or session data on spoofed page
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses Spring Security's CookieRequestCache or CookieServerRequestCache for saved-request handling - this is the default behavior in Spring Security form-based login configurations where redirect-after-login is enabled, meaning a broad population of default deployments is affected without additional configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.1 score and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N characterize a remotely exploitable, low-complexity, unauthenticated vulnerability with changed scope and low individual impact ratings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a phishing email containing a link such as https://trusted-app.example.com/login to a targeted user; if the attacker can influence the redirect cookie (e.g., by crafting a URL that causes the application to set the cookie to https://attacker.com/harvest), the victim browses to the application, successfully completes login, and is immediately and silently redirected to the attacker's credential-harvesting page at the exact moment the user trusts the redirect as part of the normal authentication flow. No public exploit code has been identified at time of analysis, but the attack requires only a browser and knowledge of the application's login URL.
Remediation The primary remediation is to upgrade Spring Security to a patched release per the vendor advisory at https://spring.io/security/cve-2026-41706. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48856 HIGH
7.1 Jun 10

Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows att
CVE-2026-11477 LOW POC
2.1 Jun 08

Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated at
CVE-2026-41008 MEDIUM
6.1 Jun 10

Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` paramete
CVE-2026-21826 MEDIUM
6.1 Jun 05

Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attack
CVE-2026-44889 MEDIUM
6.1 Jun 04

Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary a

Share

EUVD-2026-35896 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy