PatchSiren cyber security CVE debrief
CVE-2026-41844 Spring CVE debrief
A Spring MVC or Spring WebFlux application that configures a mapping for '/**' without explicitly specifying a view name is vulnerable to a 302 redirect attack via the 'redirect:' prefix. This issue affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Framework versions should review and update their configurations to mitigate this vulnerability.
Technical summary
The vulnerability arises from the way Spring handles view names in mappings. When a mapping is configured for '/**' without a specified view name, an attacker can exploit this by crafting a link with the 'redirect:' prefix, potentially redirecting users to arbitrary external hosts.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Spring Framework.
- Review and adjust application configurations for '/**' mappings to specify explicit view names.
Evidence notes
CVE-2026-41844 has a CVSS score of 4.2 and is classified as MEDIUM severity. It was published on 2026-06-09 and modified on 2026-06-11.
Official resources
-
CVE-2026-41844 CVE record
CVE.org
-
CVE-2026-41844 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41844 was published on 2026-06-09T05:16:36.440Z and modified on 2026-06-11T16:19:09.660Z.