CVE-2026-41715 - Vulnerability Details

- Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect

Description

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected versions:
Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

Published: 2026-06-09

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In specific scenarios involving HTTP redirects from secure to insecure endpoints, the Reactor Netty HTTP client may leak stored credentials when configured to follow redirects. This constitutes a confidentiality breach, as compromised credentials could enable unauthorized authentication to protected services. The weakness stems from improper handling of redirect chains, consistent with CWE-522.

Affected Systems

The affected products are Spring’s Reactor Netty library. Vulnerable versions include 1.0.0 through 1.0.51, 1.1.0 through 1.1.35, 1.2.0 through 1.2.17, and 1.3.0 through 1.3.5. Organizations using any of these releases need to evaluate whether their applications permit automatic redirect following over HTTPS to HTTP redirects.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires an attacker to manipulate a client that follows redirects from a secure origin to an insecure one, typically by controlling the redirect target or by forging a malicious redirect response, thereby enabling credential disclosure. The risk therefore depends on the application's redirect policies and network context, but the lack of a high exploitation probability suggests that attackers would need directed access to the redirect flow.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Spring

Reactor Netty

unaffected

Version	Status	Constraints
`1.0.0`	affected	< 1.0.52
`1.1.0`	affected	< 1.1.36
`1.2.0`	affected	< 1.2.18
`1.3.0`	affected	< 1.3.6

No data.

Vendor Product Confidence Versions

Spring

Reactor Netty

100%

Version	Status	Scheme	Platform
`[1.0.0,1.0.52)`	affected	semver	—
`[1.1.0,1.1.36)`	affected	semver	—
`[1.2.0,1.2.18)`	affected	semver	—
`[1.3.0,1.3.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Reactor Netty to a version newer than 1.3.5, such as 1.3.6 or any later release, to incorporate the patch that prevents credential leaks during redirect following.
Reconfigure the HTTP client to disable automatic redirect following for requests that originate from HTTPS, or enforce strict origin checks before following redirects.
If upgrading is not immediately feasible, implement a custom redirect strategy that validates the target scheme and rejects any HTTP redirect that follows an HTTPS origin, thereby mitigating the credential leakage risk.

Generated by OpenCVE AI on June 9, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://spring.io/security/cve-2026-41715

History

Tue, 09 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spring Spring reactor Netty
Vendors & Products		Spring Spring reactor Netty

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
Title		Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect
Weaknesses		CWE-522
References		https://spring.io/security/cve-2026-41715
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Spring Reactor Netty

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T03:48:41.439Z

Updated: 2026-06-09T13:43:25.100Z

Reserved: 2026-04-22T06:21:37.020Z

Link: CVE-2026-41715

Vulnrichment

Updated: 2026-06-09T13:43:20.979Z

NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:35.263

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41715

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T08:55:48Z

Weaknesses

CWE-522

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object