MEDIUM 6.1

CVE-2026-41706: Spring Security Cookie-Based Open Redirect Vulnerability

Spring Security's request caching mechanisms (CookieRequestCache and CookieServerRequestCache) contain an open redirect vulnerability. These components store the URL users intended to visit before logging in, then redirect them there after successful authentication. The vulnerability exists because the stored URL is not validated before being used as a redirect target, allowing attackers to craft malicious login links that redirect authenticated users to arbitrary external websites. An attacker could exploit this to perform phishing attacks, credential harvesting, or malware distribution by tricking users into clicking a specially crafted link.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability affects Spring Security's request caching implementations across multiple versions. When a user attempts to access a protected resource without authentication, CookieRequestCache and CookieServerRequestCache store the full absolute request URL in a browser cookie. Upon successful authentication, this URL is retrieved from the cookie and used directly as the post-login redirect target without any validation to ensure it belongs to the intended application domain. This violates the principle of whitelist-based redirect validation and enables CWE-601 (URL Redirection to Untrusted Site) attacks. The unvalidated redirect occurs at the HTTP response level and is exploitable whenever the application relies on these caching mechanisms for post-authentication navigation.

Business impact

Open redirect vulnerabilities in authentication flows directly undermine user trust and can facilitate credential theft. Users logging into applications may be redirected to attacker-controlled domains that mimic the legitimate site, increasing the likelihood of password reuse compromise. In enterprise environments, this could enable account takeover at scale, particularly if users leverage single sign-on (SSO) integrations. Regulatory and compliance implications exist for organizations handling sensitive data, as security control failures in authentication mechanisms are often flagged in security audits and assessments. Additionally, the vulnerability can damage brand reputation if users are redirected to malicious sites following login.

Affected systems

Spring Security versions spanning multiple release lines are affected: 5.7.0–5.7.23, 5.8.0–5.8.25, 6.3.0–6.3.16, 6.4.0–6.4.16, 6.5.0–6.5.10, and 7.0.0–7.0.5. Any Spring-based application using CookieRequestCache or CookieServerRequestCache for storing pre-authentication request URLs is at risk. Applications relying on default Spring Security configurations for request caching are typically affected. The vulnerability impacts both traditional monolithic applications and microservices architectures that use Spring Security for authentication and authorization.

Exploitability

Exploitation requires user interaction—the attacker must trick a user into clicking a malicious login link. The attack has no authentication prerequisites (CVSS PR:N) and operates over the network. The technical barrier is low; an attacker simply constructs a login URL with a redirect parameter pointing to an attacker-controlled domain. However, social engineering is necessary to convince users to follow the link. The CVSS score of 6.1 (MEDIUM) reflects the requirement for user interaction (UI:R) and the limited scope of impact (confidentiality and integrity, but not availability). The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, though this does not guarantee absence of active exploitation.

Remediation

Upgrade to patched versions of Spring Security that implement URL validation for redirect targets. Verify against the VMware Spring Security security advisory for the specific patched version numbers corresponding to your currently deployed version line. Organizations should prioritize upgrades for applications internet-facing or handling sensitive authentication workflows. As an interim compensating control pending patching, implement a redirect URL whitelist at the application or reverse proxy level to restrict post-login redirects to known, trusted domains only.

Patch guidance

Consult the official VMware Spring Security security advisory to identify the minimum patched version for your current release line. Organizations running 5.7.x should upgrade to at least 5.7.24 or later (verify against official guidance); 5.8.x, 6.3.x, 6.4.x, 6.5.x, and 7.0.x should follow similar guidance using their respective advisory. Update Spring Security in your dependency management system (Maven, Gradle) and perform regression testing focusing on authentication and redirect flows. Verify that legitimate post-login redirects to intended destinations continue to function correctly after patching.

Detection guidance

Monitor for suspicious redirect parameters in login requests, particularly those pointing to external domains. Log all redirect targets after successful authentication and alert on redirects to domains outside an approved whitelist. Review browser cookies for unusual absolute URLs stored in request cache entries. In application logs, search for patterns where the referrer differs significantly from the redirect destination. Network-based detection should flag login flows followed by redirects to known malicious or suspicious domains. Test your environment by attempting a crafted redirect and confirming whether the unvalidated redirect occurs.

Why prioritize this

While the CVSS score is MEDIUM (6.1), this vulnerability directly targets the authentication pathway, a critical security boundary. The combination of open redirect with authentication flows creates material risk for account compromise and phishing. User interaction is required, but login pages are high-confidence targets for social engineering. The lack of active exploitation in KEV does not diminish priority—this is a foundational security control failure that should be remediated proactively. Organizations with high-value user bases or strict security governance should prioritize this ahead of lower-criticality medium-severity issues.

Risk score, explained

The CVSS v3.1 score of 6.1 (MEDIUM, AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects the network accessibility and ease of exploitation balanced against the user interaction requirement and limited impact scope. While the vulnerability does not disrupt availability, it can leak sensitive information (session tokens, user details) and allow tampering via redirect to malicious sites. The changed scope (S:C) indicates the vulnerability can affect resources beyond the vulnerable application. The score appropriately captures risk but should not be interpreted as low priority in a defense-in-depth context, particularly for applications handling sensitive authentication.

Frequently asked questions

Does this vulnerability require the attacker to have access to the application's infrastructure?

No. The attacker only needs to craft a malicious login URL containing a redirect parameter and convince users to click it. This is purely a client-side social engineering attack; no backend compromise or insider access is required.

Can this be exploited without user interaction?

No. The CVSS rating correctly includes user interaction (UI:R) because the user must click the malicious link and successfully authenticate for the redirect to occur. However, login pages are common targets for phishing campaigns, making this interaction relatively feasible from an attacker perspective.

What is the difference between CookieRequestCache and CookieServerRequestCache, and are both affected equally?

Both are request caching mechanisms with the same vulnerability: they store unvalidated absolute URLs for post-login redirects. CookieRequestCache stores data client-side in cookies; CookieServerRequestCache uses server-side storage but shares the same redirect validation flaw. Both require patching.

If we implement a reverse proxy redirect whitelist, is patching still mandatory?

A whitelist at the reverse proxy or WAF level provides temporary defense-in-depth, but patching Spring Security is mandatory. Proxy-level controls can be bypassed or misconfigured, and relying solely on external controls creates operational risk. Patch the application, then add proxy controls as an additional layer.

This analysis is provided for informational purposes and does not constitute professional security advice. Organizations must verify all version numbers, patch availability, and compatibility against official VMware Spring Security security advisories before deploying fixes. CVSS scores and severity ratings are supplied by the vulnerability author and should be contextualized within your organization's threat model and asset criticality. No active exploitation has been reported in CISA's KEV catalog as of the analysis date, but absence from KEV does not indicate low risk or absence of exploitation activity. Security teams should conduct independent testing and threat modeling to determine organizational risk and prioritization. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).