CVE Catalog

CVE-2026-41706

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

Vulnerability in Spring Security's CookieRequestCache and CookieServerRequestCache stores the full absolute pre-authentication request URL in a browser cookie. After successful login, the user is redirected to this URL without validation, allowing an attacker to manipulate the redirect target.

Risk Assessment

An attacker can exploit this vulnerability to redirect authenticated users to a malicious site (open redirect), potentially leading to credential theft or malware installation.

Recommendation

Immediately update Spring Security to version 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6, depending on the branch used. If updating is not possible, consider disabling the CookieRequestCache mechanism or implementing custom redirect URL validation.

Original NVD description (English source)

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS