CVE-2026-41008
Received Received - Intake
Open Redirect in Spring Security Authorization Server

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41008
EUVD
EUVD-2026-35888
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
spring_project spring_security 7.0
spring_project spring_authorization_server 1.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41008 is a security vulnerability in the Spring Security Authorization Server where the authorization endpoint does not properly validate the request_uri parameter.

This flaw allows an attacker to craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri.

As a result, this can lead to an Open Redirect vulnerability, where users may be redirected to unintended and potentially harmful external sites.

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect users to malicious websites through crafted authorization requests.

Such open redirect vulnerabilities can be exploited for phishing attacks, stealing user credentials, or distributing malware.

Because the redirect_uri is unvalidated, users may unknowingly trust and follow harmful links that appear to come from a legitimate authorization server.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade to the fixed versions of the affected products.

  • Upgrade Spring Security to version 7.0.6 or later.
  • Upgrade Spring Authorization Server to version 1.5.8 or later.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart