CVE-2026-41715
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Reactor Netty | 1.0.0 < 1.0.52 | affected |
| Spring | Reactor Netty | 1.1.0 < 1.1.36 | affected |
| Spring | Reactor Netty | 1.2.0 < 1.2.17.1 | affected |
| Spring | Reactor Netty | 1.3.0 < 1.3.15.1 | affected |
Weaknesses
- CWE-522: CWE-522: Insufficiently Protected Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.