CVE-2026-41008: Spring Authorization Server Open Redirect Vulnerability (CVSS 6.1)
Spring Security Authorization Server contains an open redirect vulnerability in its authorization endpoint. When processing OAuth 2.0 authorization requests, the server insufficiently validates the request_uri parameter, allowing an attacker to combine an invalid request_uri with a crafted redirect_uri to redirect users to an attacker-controlled website after authentication. This affects Spring Security versions 7.0.0–7.0.5 and Spring Authorization Server versions 1.5.0–1.5.7.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation on the request_uri parameter in Spring Security Authorization Server's authorization endpoint. An attacker crafts a malicious authorization request with a malformed request_uri paired with an arbitrary, unvalidated redirect_uri. Due to incomplete validation logic, the server fails to reject the malicious redirect target, leading to CWE-601 (URL Redirection to Untrusted Site). The vulnerability requires user interaction—a victim must click a malicious link or be redirected to the authorization endpoint—and the attack surface is network-accessible without authentication.
Business impact
This vulnerability enables credential harvest and phishing at scale. An attacker can craft a seemingly legitimate authorization link that directs authenticated users to an attacker-controlled site after login, exfiltrating session tokens, credentials, or sensitive data. In environments where Spring Authorization Server acts as a central identity provider, a single instance compromise affects all dependent applications. Organizations relying on OAuth 2.0 delegation for third-party integrations face reputation damage and potential regulatory exposure if user data is intercepted.
Affected systems
Spring Security versions 7.0.0 through 7.0.5 and Spring Authorization Server versions 1.5.0 through 1.5.7 are affected. Any organization deploying these versions as an authorization server or embedded within Spring-based applications is potentially vulnerable. This includes microservices architectures using Spring Boot with OAuth 2.0 authorization delegation, as well as standalone authorization servers providing identity services to multiple tenants or external partners.
Exploitability
Exploitability is straightforward from a technical perspective: an attacker need only craft a malicious URL and distribute it via phishing or social engineering. The attack requires no special privileges, authentication, or complex bypasses. However, the CVSS score of 6.1 reflects that user interaction is necessary—a victim must initiate the authorization flow by clicking the link. This slightly raises the bar compared to pre-authentication server-side exploits, but phishing campaigns and insider attacks make this a practical threat in real-world scenarios.
Remediation
Organizations must immediately upgrade to patched versions provided by Spring and VMware. Verify the specific patch version numbers in the vendor advisories before deployment. Organizations unable to patch immediately should implement network-level controls: restrict authorization endpoint access to trusted networks, enforce HTTPS with certificate pinning for redirect validation, and deploy Web Application Firewalls (WAF) rules to detect malformed request_uri parameters. Additionally, implement strict redirect URI allowlisting at the application configuration level rather than relying on runtime validation alone.
Patch guidance
Contact VMware and Broadcom for patched versions of Spring Security and Spring Authorization Server. Patch versions should be explicitly listed in vendor security advisories; verify against those sources before deployment to production. Test patches in a staging environment to ensure OAuth 2.0 flows remain functional and no legitimate authorization requests are blocked by stricter validation. Prioritize patching for instances exposed to untrusted networks or used as multi-tenant identity providers.
Detection guidance
Monitor authorization endpoint logs for request_uri parameters containing unusual encoding, protocol mismatches, or references to external domains. Implement alerting for redirect_uri values that do not match configured allowlists. Use WAF signatures to detect malformed or suspicious request_uri patterns. Correlate failed authorization attempts with downstream redirects to external IPs. If your environment supports audit logging, review historical authorization requests for signs of exploitation: look for valid credentials paired with unexpected redirect destinations in post-authentication logs.
Why prioritize this
Although the CVSS score is 6.1 (Medium), the practical risk is elevated due to ease of exploitation, phishing compatibility, and high-value attack targets. Organizations with externally accessible authorization servers or those providing identity services to partners should treat this as a near-critical priority. The attack chain is simple, and the attacker gains access to sessions or credentials—both high-value outcomes. Internal-only authorization servers have somewhat lower urgency but should not be deprioritized indefinitely.
Risk score, explained
CVSS 3.1 score of 6.1 reflects: Network-accessible attack vector (AV:N), Low attack complexity (AC:L), no authentication required (PR:N), but User Interaction required (UI:R). The impact is Confidentiality and Integrity degradation (C:L/I:L) with no Availability impact (A:N). The Scope Change (S:C) accounts for potential impact on downstream systems. The Medium severity designation acknowledges that real-world exploitation depends on social engineering and victim action, but the ease of crafting attacks and the sensitive nature of OAuth flows warrant careful monitoring and timely patching.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attack requires a user to click a malicious link or be redirected to the authorization endpoint. An attacker cannot silently exploit this vulnerability server-to-server; phishing or social engineering is a prerequisite.
Does this affect only externally facing authorization servers, or also internal deployments?
Both are at risk, though external deployments are higher priority. Internal authorization servers are vulnerable to insider threats or lateral movement attacks where an attacker controls a machine on the internal network and crafts malicious links to send to other users.
What's the difference between patching and implementing compensating controls?
Patching fixes the underlying validation logic and is the only permanent solution. Compensating controls like allowlisting, WAF rules, and network segmentation reduce exploitability but do not eliminate the flaw. Use controls as interim measures only while you plan and test patch deployment.
How does this vulnerability interact with single sign-on (SSO) implementations?
In SSO environments, the authorization server is a critical trust boundary. A successful open redirect attack here can compromise credentials used across all downstream applications, amplifying the blast radius. SSO-heavy organizations should treat this as especially urgent.
This analysis is based on CVE-2026-41008 as published and does not constitute security advice specific to your environment. Verify all patch versions and compatibility against official vendor advisories before deployment. SEC.co provides this information for educational and risk assessment purposes; organizations must conduct their own threat modeling and testing. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41706MEDIUMSpring Security Cookie-Based Open Redirect Vulnerability
- CVE-2026-41844MEDIUMSpring Framework Open Redirect Vulnerability via URL Mapping
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-11477MEDIUMhsweb OAuth2 Open Redirect Vulnerability – Patch Guide
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)