AIKIDO-2026-11188

spring-security-web is vulnerable to Open Redirect

Open RedirectCVE-2026-41706 Published 3 days ago

Medium Risk

This Affects:

spring-security-web

0.0.1 - 5.7.23

Fixed in 5.7.24

5.8.0 - 5.8.25

Fixed in 5.8.26

6.0.0 - 6.3.16

Fixed in 6.3.17

6.4.0 - 6.4.16

Fixed in 6.4.17

6.5.0 - 6.5.10

Fixed in 6.5.11

7.0.0 - 7.0.5

Fixed in 7.0.6

Are you affected? Scan for Free

TL;DR

Affected versions of Spring Security may allow an open redirect after login when CookieRequestCache or CookieServerRequestCache is used to persist the original request URL in a browser cookie. Because the absolute URL from the REDIRECT_URI cookie is reused without validation, an attacker who can tamper with that cookie may force the application to send the user to an attacker-controlled site after successful authentication. In practice, this could be exploited through cookie injection from a related subdomain, HTTP response splitting, or a downgrade from HTTPS to HTTP, enabling convincing phishing flows that abuse the trusted login process.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you are using CookieRequestCache (Servlet) or CookieServerRequestCache (WebFlux) as its RequestCache implementation.

Background info

spring-security-web is vulnerable to Open Redirect in versions 0.0.1 - 5.7.23, 5.8.0 - 5.8.25, 6.0.0 - 6.3.16, 6.4.0 - 6.4.16, 6.5.0 - 6.5.10 and 7.0.0 - 7.0.5.