CVE-2026-41844
Received Received - Intake
Open Redirect in Spring Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41844
EUVD
EUVD-2026-35332
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves an attacker crafting a link that causes a 302 redirect to an arbitrary external host using the "redirect:" prefix in affected Spring MVC or Spring WebFlux applications.

To detect this vulnerability on your system or network, you can monitor HTTP responses for unexpected 302 redirects that include the "redirect:" prefix pointing to external hosts.

For example, you can use tools like curl or wget to test endpoints that map to "/**" without an explicit view name and observe if a crafted URL triggers a 302 redirect to an external site.

  • curl -I "http://your-application/path?redirect=http://malicious.example.com"
  • Observe if the response headers include a Location field with a redirect to an external host.

Additionally, network monitoring tools or web application firewalls can be configured to alert on 302 redirects to external domains originating from your application.

Upgrading to the fixed versions of Spring Framework is the recommended mitigation.

Executive Summary

CVE-2026-41844 is a security vulnerability in the Spring Framework affecting Spring MVC and Spring WebFlux applications.

The issue occurs when an application configures a mapping for "/**" without explicitly specifying the view name, allowing an attacker to craft a malicious link that causes a 302 redirect to an arbitrary external host using the "redirect:" prefix.

In Spring MVC applications with similar conditions, an attacker can also perform an internal redirect using the "forward:" prefix.

Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

Impact Analysis

This vulnerability allows an attacker to craft links that redirect users to arbitrary external hosts via a 302 redirect.

Such open redirect attacks can be used for phishing, redirecting users to malicious sites, or bypassing security controls.

In Spring MVC applications, attackers may also perform internal redirects, potentially leading to further exploitation.

The overall impact includes loss of user trust, potential exposure to malicious content, and indirect compromise of application security.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade the Spring Framework to a fixed version.

  • Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial) for 7.0.x versions.
  • Upgrade to 6.2.19 (OSS) or 6.2.18.1 (Commercial) for 6.2.x versions.
  • Upgrade to 6.1.28 (Commercial) for 6.1.x versions.
  • Upgrade to 5.3.49 (Commercial) for 5.3.x versions.

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart