Description
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected versions:
Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak stored credentials when configured to follow redirects. This constitutes a confidentiality breach, as compromised credentials could enable unauthorized authentication to protected services. The weakness arises from improper handling of redirect chains, consistent with CWE-319 and CWE-522.

Affected Systems

The affected products are Spring’s Reactor Netty library. Vulnerable versions include 1.0.0 through 1.0.51, 1.1.0 through 1.1.35, 1.2.0 through 1.2.17, and 1.3.0 through 1.3.5. Organizations using any of these releases need to evaluate whether their applications permit automatic redirect following over HTTPS to HTTP redirects.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of 0.00172 (<1%) indicates a low exploitation probability, and the vulnerability is not yetISA KEV catalog. Exploitation requires an attacker to manipulate a client that follows redirects from a secure origin to an insecure one, typically by controlling the redirect target or by forging a malicious redirect response,. The risk therefore depends on the application’s redirect policies and network context, but the low exploitation probability suggests that attackers would need directed access to the redirect flow.

Generated by OpenCVE AI on June 26, 2026 at 04:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Reactor Netty to the latest available version, which includes the required fix for credential leakage during redirect following.
  • Reconfigure the HTTP client to disable automatic redirect following for requests that originate from HTTPS, or enforce strict origin checks before following redirects.
  • If upgrading is not immediately feasible, implement a custom redirect strategy that validates the target scheme and rejects any HTTP redirect that follows an HTTPS origin, thereby mitigating the credential leakage risk.

Generated by OpenCVE AI on June 26, 2026 at 04:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring reactor Netty
Vendors & Products Spring
Spring reactor Netty

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
Title Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Spring Reactor Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-23T20:46:09.111Z

Reserved: 2026-04-22T06:21:37.020Z

Link: CVE-2026-41715

cve-icon Vulnrichment

Updated: 2026-06-09T13:43:20.979Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:35.263

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41715

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T03:48:41Z

Links: CVE-2026-41715 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:15:11Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information

  • CWE-522

    Insufficiently Protected Credentials