CVE-2026-41706
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Vulnerability in Spring Security's CookieRequestCache and CookieServerRequestCache stores the full absolute pre-authentication request URL in a browser cookie. After successful login, the user is redirected to this URL without validation, allowing an attacker to manipulate the redirect target.
Risk Assessment
An attacker can exploit this vulnerability to redirect authenticated users to a malicious site (open redirect), potentially leading to credential theft or malware installation.
Recommendation
Immediately update Spring Security to version 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6, depending on the branch used. If updating is not possible, consider disabling the CookieRequestCache mechanism or implementing custom redirect URL validation.
Original NVD description (English source)
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

