CVE-2026-41706— Open Redirect When Using CookieRequestCache
Affected Version Matrix 6
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Security | 5.7.0< 5.7.24 | affected |
5.8.0< 5.8.26 | affected | ||
6.3.0< 6.3.17 | affected | ||
6.4.0< 6.4.17 | affected | ||
6.5.0< 6.5.11 | affected | ||
7.0.0< 7.0.6 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41706
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Open Redirect When Using CookieRequestCache
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Spring Security 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Spring Security是Spring开源的一款具有认证和授权功能的安全框架。 Spring Security存在输入验证错误漏洞,该漏洞源于CookieRequestCache和CookieServerRequestCache将预认证请求URL存储在浏览器cookie中,受影响版本中完整绝对URL存储在cookie中且未经验证用作登录后重定向目标。以下版本受到影响:5.7.0至5.7.23版本、5.8.0至5.8.25版本、6.3.0至6.3.16版本、6.4.0至6.4.16版本、6.5.0至6
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring Security | 5.7.0 ~ 5.7.24 | - |
II. Public POCs for CVE-2026-41706
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41706
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41706 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Spring Security
- CVE-2026-47838
Unauthorized User Impersonation when Using X.509 Client Cert - CVE-2026-41694
SAML Payloads Decrypted Without Valid Signature - CVE-2026-41008
Spring Security Authorization Server Open Redirect via reque - CVE-2026-41003
Unencoded HTML Outputs in Spring Security May Allow Cross-Si - CVE-2026-40993
Unfiltered Java Native Deserialization of SAML 2.0 Asserting
Same vendor: Spring
- CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability - CVE-2026-41700
Cross-Site WebSocket Hijacking in Spring for GraphQL
Same weakness: CWE-601
V. Comments for CVE-2026-41706
No comments yet