CVE-2026-41715
Awaiting Analysis Awaiting Analysis - Queue

Credentials Leak in Reactor Netty HTTP Client via Insecure Redirects

Publication date: 2026-06-09

Last updated on: 2026-06-23

Assigner: VMware

Description
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-23
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-41715
EUVD
EUVD-2026-35322

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
vmware reactor_netty From 1.0.0 (inc) to 1.0.51 (inc)
vmware reactor_netty From 1.1.0 (inc) to 1.1.35 (inc)
vmware reactor_netty From 1.2.0 (inc) to 1.2.17 (inc)
vmware reactor_netty From 1.3.0 (inc) to 1.3.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41715 is a security vulnerability in the Reactor Netty HTTP client where credentials may be leaked during HTTP redirects from a secure (HTTPS) endpoint to an insecure (HTTP) endpoint.

This leakage only occurs if the HTTP client is explicitly configured to follow redirects.

The affected versions include Reactor Netty 1.0.0 through 1.0.51, 1.1.0 through 1.1.35, 1.2.0 through 1.2.17, and 1.3.0 through 1.3.5.

Compliance Impact

The vulnerability involves leaking credentials during HTTP redirects from secure to insecure endpoints if the Reactor Netty HTTP client is configured to follow redirects.

Such credential leakage could potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, no explicit information about compliance impact or regulatory considerations is provided in the available resources.

Impact Analysis

This vulnerability can lead to the unintended exposure of sensitive credentials when an HTTP client follows redirects from a secure to an insecure endpoint.

Such credential leakage can compromise user authentication data, potentially allowing attackers to gain unauthorized access to systems or data.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Reactor Netty HTTP client to a fixed version.

  • Upgrade to version 1.0.52 (Enterprise Support Only)
  • Upgrade to version 1.1.36 (Enterprise Support Only)
  • Upgrade to version 1.2.18 (OSS)
  • Upgrade to version 1.3.6 (OSS)

No additional mitigation steps are required beyond upgrading.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41715. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart