CVE-2026-41844: Spring Framework Open Redirect Vulnerability via URL Mapping
CVE-2026-41844 is a redirect vulnerability in Spring Framework that allows attackers to craft malicious links causing users' browsers to redirect to arbitrary external websites. The flaw exists in Spring MVC and Spring WebFlux applications configured with a catch-all URL mapping ("/**") where the view name is not explicitly set. An attacker can exploit the 'redirect:' prefix to bypass intended routing controls and send users to phishing sites or other malicious hosts. This requires user interaction—the victim must click a crafted link—and impacts four widely-used versions of Spring Framework spanning multiple release series.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.2 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability arises from insufficient validation of the redirect: prefix in view resolution when applications use a wildcard path mapping ("/**") without an explicitly specified view name. Spring MVC and Spring WebFlux frameworks process this prefix to construct HTTP 302 redirects, but do not adequately restrict the target URL to internal or whitelisted hosts. An attacker can inject an arbitrary URL into the view resolution process, causing the application to issue a redirect response to an external domain under the attacker's control. The affected version ranges are Spring Framework 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The flaw is classified as CWE-601 (URL Redirection to Untrusted Site).
Business impact
Open redirect vulnerabilities degrade user trust and enable credential theft, malware distribution, and brand impersonation. A user who clicks a crafted link on a legitimate page may be redirected to an attacker-controlled site that mimics your application's login or payment interface, resulting in compromised credentials or financial loss. The reputational damage occurs when users report being redirected to phishing sites from your domain. Incident response and user notification efforts may be required if the vulnerability is exploited at scale. The attack's reliance on user interaction means sustained social engineering or email campaigns are necessary, reducing the likelihood of opportunistic exploitation but not eliminating risk in targeted scenarios.
Affected systems
Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are affected when deployed as Spring MVC or Spring WebFlux applications with a catch-all "/**" route mapping lacking an explicit view name configuration. Legacy Spring applications on version 5.3.x and standard deployments on the 6.x and 7.x lines are all potentially vulnerable. Applications that do not use wildcard path mappings or that explicitly specify all view names are not affected.
Exploitability
Exploitability is moderate and requires user interaction. The attacker must craft a URL that embeds a crafted link pointing to the vulnerable application, then convince or trick a user into clicking it. The vulnerability is not remotely exploitable without social engineering. The CVSS 3.1 score of 4.2 (Medium severity) reflects these constraints: network accessibility, high complexity (due to configuration and user interaction requirements), and lack of privilege escalation potential. The attack does not produce code execution, data exfiltration from the server, or denial of service—it merely redirects the user's browser.
Remediation
Upgrade Spring Framework to a patched version outside the affected ranges. Consult the VMware Spring Framework security advisories for the specific patched versions corresponding to your current release series. Interim mitigations include explicitly specifying view names in all URL mappings to avoid reliance on implicit resolution, implementing strict URL validation for redirect targets to permit only internal paths and whitelisted external hosts, and using HTTP security headers such as X-Frame-Options and Content-Security-Policy to reduce phishing effectiveness. Code-level fixes should validate that any URL passed to the redirect: prefix is either relative to the application or points to a pre-approved external domain.
Patch guidance
Verify the patched version numbers against the official VMware Spring Framework security advisory, as specific patch versions are not detailed in this analysis. Prioritize upgrading to the latest stable release in your current series (e.g., 7.0.8 or later for 7.x users, 6.2.19 or later for 6.2.x users). Test patches in a staging environment before production rollout, particularly for Spring WebFlux deployments which may have async-specific interactions. If immediate patching is not feasible, apply the interim mitigations listed in the remediation section.
Detection guidance
Monitor HTTP response logs for 302 redirects to external hosts originating from your application. Flag requests to the "/**" route that include the 'redirect:' prefix in request parameters or path segments. Analyze access logs for unusual redirect patterns, particularly those pointing to newly registered or suspicious domains. Implement web application firewalls (WAF) rules to detect and block requests containing 'redirect:' followed by external URLs (e.g., http://, https://, //) on vulnerable endpoints. Security information and event management (SIEM) systems should alert on redirect responses to non-whitelisted external domains. Correlate these detections with email or social engineering reports to identify active exploitation attempts.
Why prioritize this
This vulnerability warrants priority patching because it affects four widely-used Spring Framework version series, the framework is ubiquitous in enterprise Java environments, and the redirect mechanism is a common vector for phishing and credential theft. Although the CVSS score is moderate and user interaction is required, the low barrier to crafting a malicious link and the high potential for social engineering-driven campaigns—especially against users familiar with your brand—justify rapid remediation. Prioritize systems exposed to the internet and applications that handle sensitive transactions (authentication, payment, account changes).
Risk score, explained
The CVSS 3.1 score of 4.2 reflects a Medium-severity issue with limited attack complexity and no direct confidentiality, integrity, or availability impact to the server itself. The score accounts for network accessibility (AV:N), high complexity due to configuration requirements and mandatory user interaction (AC:H, UI:R), and the absence of privilege escalation or server compromise (S:U, C:L, I:L, A:N). While the numerical score is moderate, the reputational and trust implications of redirect-based phishing justify treating this as a higher business priority than the base score alone suggests, particularly in customer-facing applications.
Frequently asked questions
Do I need to apply this patch if my Spring application doesn't use a catch-all '/**' route mapping?
No. The vulnerability requires a specific configuration: a wildcard "/**" path mapping where the view name is not explicitly specified. If all your route mappings include explicit view names or do not use a catch-all pattern, you are not vulnerable. Review your Spring configuration (XML or annotations) to confirm.
Can this vulnerability be exploited without user interaction?
No. The attacker must trick or socially engineer a user into clicking a malicious link. The vulnerability does not enable direct server-side exploitation or automated attacks. However, the low cost of distributing malicious links via email or posting them on forums makes this a realistic risk in targeted campaigns.
Is there a workaround if I cannot patch immediately?
Yes. Explicitly specify view names in all route mappings to prevent implicit resolution of the redirect: prefix. Additionally, implement URL validation logic that restricts redirect targets to internal paths or a whitelist of approved external domains. These mitigations reduce exposure while you plan your upgrade.
What should I do if I suspect this vulnerability has been exploited in my environment?
Check HTTP response logs and access logs for unexpected 302 redirects to external hosts originating from your application. Review email and user reports of being redirected to suspicious sites from your domain. If confirmed, notify affected users, reset credentials if a phishing site was involved, and escalate to your incident response team. Then apply the patch immediately.
This analysis is based on publicly available information as of the published date and reflects VMware's official CVE disclosure. Patch version numbers and specific remediation steps should be verified against the official VMware Spring Framework security advisories. Exploit code or weaponized proof-of-concept details are not provided in this explainer. Organizations should conduct their own risk assessment and testing before applying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-11477MEDIUMhsweb OAuth2 Open Redirect Vulnerability – Patch Guide
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2026-45307MEDIUMSpeakr Open Redirect Vulnerability in Post-Login Redirects