CVE-2026-11477
Deferred Deferred - Pending Action
Open Redirect in hs-web hsweb-framework

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulDB

Description
A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11477
EUVD
EUVD-2026-35008
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hs-web hsweb-framework to 5.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-11477 exists in the OAuth2 implementation of the hsweb-framework, specifically in the OAuth2Client component. It involves a flaw in the validation of the redirect_uri parameter during the OAuth2 authorization process.

The framework originally used a simple prefix-based check to validate redirect URIs, which could be bypassed by manipulating parts of the URL such as the userinfo component. This bypass allows an attacker to redirect the OAuth2 flow to an unintended destination, resulting in an open redirect vulnerability.

The vulnerability can be exploited remotely and the exploit is publicly known. The issue was fixed by replacing the prefix-based validation with stricter URI component checks, introducing configurable validation modes (COMPATIBLE and EXACT), rejecting redirect URIs containing fragments, and binding authorization codes to the authorized redirect URI to prevent misuse.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform open redirect attacks during the OAuth2 authorization process.

An attacker could manipulate the redirect_uri parameter to redirect users to malicious sites, potentially leading to phishing attacks or unauthorized access.

Because the OAuth2 flow is critical for authentication and authorization, exploiting this vulnerability could undermine the security of applications relying on the hsweb-framework for OAuth2, potentially compromising user sessions or credentials.

Detection Guidance

The vulnerability involves bypassing the redirect_uri validation in the OAuth2 implementation of hsweb-framework by manipulating the redirect_uri parameter, especially via URL userinfo or fragments.

To detect this vulnerability on your system, you can monitor OAuth2 authorization requests for suspicious redirect_uri parameters that include unusual userinfo components or fragments that could bypass prefix-based validation.

Commands to detect such attempts might include capturing and inspecting HTTP requests to the OAuth2 authorization endpoint, for example using tools like tcpdump or Wireshark to filter for requests containing redirect_uri parameters.

  • Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep redirect_uri
  • Use curl or similar tools to test redirect_uri parameters with userinfo or fragments to see if the system improperly accepts them.
  • Review application logs for OAuth2 authorization requests containing redirect_uri values with embedded userinfo or fragments.
Mitigation Strategies

The primary mitigation is to apply the patch identified as c2882679a9125cea52678151af5ae213cbd52579, which fixes the redirect_uri validation logic in the OAuth2Client component.

This patch replaces the insecure prefix-based validation with stricter URI parsing and comparison, including rejecting redirect URIs containing fragments and binding authorization codes to the authorized redirect_uri.

Additionally, configure the new option hsweb.oauth2.redirect-uri-validation-mode to enforce stricter validation modes (COMPATIBLE or EXACT) as appropriate for your environment.

Until the patch is applied, consider monitoring and blocking OAuth2 authorization requests with suspicious redirect_uri parameters that could exploit this vulnerability.

Compliance Impact

The vulnerability in the OAuth2 redirect_uri validation of the hsweb-framework allows an attacker to perform an open redirect by bypassing the redirect_uri validation. This could potentially enable phishing attacks or unauthorized redirection of OAuth2 authorization flows.

Such security weaknesses in OAuth2 implementations can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access and data breaches.

By allowing open redirects, the vulnerability could facilitate attacks that compromise user data confidentiality and integrity, thus potentially violating regulatory requirements for secure handling of personal and sensitive information.

Applying the provided patch that enforces stricter redirect_uri validation and binds authorization codes to authorized redirect URIs helps mitigate these risks and supports compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11477. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart