CVE-2026-11477: hsweb OAuth2 Open Redirect Vulnerability – Patch Guide
CVE-2026-11477 is an open redirect vulnerability in the OAuth2 Client component of hsweb-framework versions up to 5.0.1. An attacker can craft a malicious URL that tricks users into being redirected to an external website after authenticating through your application's OAuth2 flow. This could be used for phishing or credential harvesting attacks. The vulnerability requires user interaction (clicking a link) but can be exploited over the network without authentication. Public exploit code is already available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the OAuth2Client.java file within the hsweb-authorization-oauth2 module. It stems from improper validation of redirect URIs in the OAuth2 authorization flow (CWE-601: URL Redirection to Untrusted Site). An attacker can manipulate the redirect_uri parameter to point to an arbitrary external domain, which the application fails to properly validate against a whitelist. When a user completes OAuth2 authentication, they are sent to the attacker-controlled URL instead of a legitimate application endpoint. The patch commit c2882679a9125cea52678151af5ae213cbd52579 addresses this by implementing strict redirect URI validation.
Business impact
Open redirect vulnerabilities in OAuth2 flows can severely damage trust in your authentication system. Users may be redirected to phishing pages that collect credentials or personal information. This is particularly damaging if your application is a service provider—attackers can use your legitimate authentication flow to impersonate you and harvest user data at scale. Regulatory concerns may also arise under data protection frameworks if user information is compromised through this attack vector. Customer confidence and brand reputation are at risk, especially if the vulnerability is exploited in the wild.
Affected systems
Applications using hsweb-framework (hsweb) up to and including version 5.0.1 are affected. Any deployment relying on the OAuth2Client component for authentication or authorization is vulnerable. This includes both applications that act as OAuth2 providers and those that use the framework's OAuth2 client implementation for third-party authentication integration.
Exploitability
Exploitability is moderate. The attack requires user interaction (a user must click a malicious link or be socially engineered to visit a crafted URL), but no special privileges or authentication are required from the attacker. Network accessibility is straightforward—the malicious link can be distributed via email, social media, or embedded in web pages. The CVSS score of 4.3 (Medium) reflects that while integrity is at risk, confidentiality and availability are not directly impacted. Public exploit code is available, lowering the technical barrier for opportunistic attackers.
Remediation
Update hsweb-framework to a version newer than 5.0.1 that includes the fix from commit c2882679a9125cea52678151af5ae213cbd52579. Before patching, implement compensating controls: validate all redirect_uri parameters against a strict whitelist of approved domains, reject any redirect to external hosts, and implement proper URI parsing to prevent bypass techniques (e.g., encoding tricks or protocol confusion). Review application logs for suspicious redirect_uri values to identify potential exploitation attempts.
Patch guidance
Consult the official hsweb-framework repository and release notes to identify the first version released after 5.0.1 that incorporates commit c2882679a9125cea52678151af5ae213cbd52579. Test the patched version thoroughly in a staging environment, particularly OAuth2 authentication flows and redirect behavior. Verify that all redirect_uri parameters are properly validated and that legitimate application endpoints still function correctly. Deploy to production following your standard change management procedures, prioritizing systems that expose OAuth2 authentication to untrusted users.
Detection guidance
Monitor OAuth2 authorization requests for redirect_uri parameters that point to domains outside your organization's whitelist. Check application logs for patterns like redirect_uri values containing external hostnames, unusual encoding, or special characters. Web application firewalls (WAF) can be configured to block requests with suspicious redirect_uri values. Review authentication logs for sessions that redirect to unexpected destinations. If OAuth2 logs are centralized (SIEM), create alerts for redirect_uri values that don't match approved patterns or that point to known phishing infrastructure.
Why prioritize this
While the CVSS score is Medium (4.3), this vulnerability should be treated with urgency because it directly undermines the trust model of your authentication system. Open redirect in OAuth2 is a high-trust attack—users expect authentication redirects to be safe, and attackers exploit that assumption for phishing. Public exploit availability means attacks could begin immediately. Organizations with user-facing OAuth2 flows, particularly those serving external customers or partners, should prioritize patching. If you are an OAuth2 provider (SSO service), this becomes a Critical issue due to potential cascade impact across all relying applications.
Risk score, explained
The CVSS 3.1 score of 4.3 (Medium severity) is calculated as: AV:N (Network—remotely exploitable), AC:L (Low complexity—no special conditions), PR:N (No privileges required), UI:R (User interaction required—victim must click the malicious link), S:U (Scope unchanged), C:N (Confidentiality not impacted), I:L (Integrity is slightly impacted via redirection), A:N (Availability not impacted). The score appropriately reflects that this is a real but bounded risk. However, contextual factors—such as the public availability of exploits and the sensitive nature of authentication flows—may justify treating this as higher priority than the numerical score alone suggests.
Frequently asked questions
How would an attacker actually exploit this?
An attacker crafts a malicious link to your application's OAuth2 authorization endpoint, but adds a redirect_uri parameter pointing to their phishing site. They send this link via email or social engineering. When a user clicks it and authenticates, they are redirected to the attacker's site instead of back to the legitimate application. The attacker can then display a fake login form or collect other sensitive information.
Do we need special OAuth2 knowledge to patch this?
No. The patch is applied by updating the hsweb-framework library to a fixed version. Standard dependency management tools (Maven, Gradle, etc.) handle the update. Your application code likely requires no changes, though you should test OAuth2 flows after updating to ensure nothing breaks.
If we're not using the OAuth2Client component, are we still at risk?
Only if your application uses the hsweb-framework OAuth2 authorization module. If you've implemented OAuth2 security through other libraries or custom code, you should still review your own redirect URI validation. The vulnerability is specific to hsweb's OAuth2Client implementation.
What if we can't patch immediately?
Implement strict input validation on the redirect_uri parameter: maintain a whitelist of approved redirect destinations, reject any redirect to external domains, and use URL parsing libraries to prevent bypass techniques. Monitor logs for exploitation attempts. Plan a patching window urgently—this is not a vulnerability to leave unpatched long-term, especially if it's actively exploited.
This analysis is provided for informational purposes and reflects the vulnerability details as of the published date. SEC.co makes no guarantee of the accuracy, completeness, or timeliness of this information. Patch versions, release dates, and availability are subject to change by the vendor; verify all patching guidance against official hsweb-framework repositories and advisories before deploying to production. This vulnerability intelligence does not constitute legal, compliance, or professional security advice. Organizations should conduct their own risk assessments based on their specific systems, configurations, and threat landscape. No exploit code or weaponizable proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2026-41844MEDIUMSpring Framework Open Redirect Vulnerability via URL Mapping
- CVE-2026-45307MEDIUMSpeakr Open Redirect Vulnerability in Post-Login Redirects