PatchSiren cyber security CVE debrief
CVE-2026-41706 Spring CVE debrief
CVE-2026-41706 is a vulnerability in Spring Security's CookieRequestCache and CookieServerRequestCache. These components store the pre-authentication request URL in a browser cookie to redirect users to their intended destination after a successful login. However, in affected versions, the full absolute URL is stored in the cookie and used without validation as the post-login redirect target. This allows attackers to manipulate the redirect URL, potentially leading to phishing attacks.
- Vendor
- Spring
- Product
- Spring Security
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.1 and is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect').
Defensive priority
medium
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Security.
- Implement additional validation for redirect URLs.
Evidence notes
Evidence from the NVD and Spring Security documentation supports the details of this vulnerability.
Official resources
-
CVE-2026-41706 CVE record
CVE.org
-
CVE-2026-41706 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41706 was published on 2026-06-10T00:16:51.223Z and modified on 2026-06-10T19:24:04.320Z.