CVE-2026-41715
Received Received - Intake
Credentials Leak in Reactor Netty HTTP Client via Insecure Redirects

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41715
EUVD
EUVD-2026-35322
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware reactor_netty From 1.0.0 (inc) to 1.0.51 (inc)
vmware reactor_netty From 1.1.0 (inc) to 1.1.35 (inc)
vmware reactor_netty From 1.2.0 (inc) to 1.2.17 (inc)
vmware reactor_netty From 1.3.0 (inc) to 1.3.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41715 is a security vulnerability in the Reactor Netty HTTP client where credentials may be leaked during HTTP redirects from a secure (HTTPS) endpoint to an insecure (HTTP) endpoint.

This leakage only occurs if the HTTP client is explicitly configured to follow redirects.

The affected versions include Reactor Netty 1.0.0 through 1.0.51, 1.1.0 through 1.1.35, 1.2.0 through 1.2.17, and 1.3.0 through 1.3.5.

Compliance Impact

The vulnerability involves leaking credentials during HTTP redirects from secure to insecure endpoints if the Reactor Netty HTTP client is configured to follow redirects.

Such credential leakage could potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, no explicit information about compliance impact or regulatory considerations is provided in the available resources.

Impact Analysis

This vulnerability can lead to the unintended exposure of sensitive credentials when an HTTP client follows redirects from a secure to an insecure endpoint.

Such credential leakage can compromise user authentication data, potentially allowing attackers to gain unauthorized access to systems or data.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Reactor Netty HTTP client to a fixed version.

  • Upgrade to version 1.0.52 (Enterprise Support Only)
  • Upgrade to version 1.1.36 (Enterprise Support Only)
  • Upgrade to version 1.2.18 (OSS)
  • Upgrade to version 1.3.6 (OSS)

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41715. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart