CVE-2026-41706 Overview
CVE-2026-41706 is an open redirect vulnerability [CWE-601] in Spring Security's CookieRequestCache and CookieServerRequestCache components. These components store the pre-authentication request URL in a browser cookie to redirect users to their intended destination after login. In affected versions, the full absolute URL is stored in the cookie and used without validation as the post-login redirect target. An attacker can craft a malicious cookie value that redirects authenticated users to an attacker-controlled domain, enabling phishing and credential theft scenarios.
Critical Impact
Authenticated users can be redirected to attacker-controlled external sites after successful login, facilitating phishing and credential harvesting attacks.
Affected Products
- Spring Security 5.7.0 through 5.7.23 and 5.8.0 through 5.8.25
- Spring Security 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, and 6.5.0 through 6.5.10
- Spring Security 7.0.0 through 7.0.5
Discovery Timeline
- 2026-06-10 - CVE-2026-41706 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-41706
Vulnerability Analysis
Spring Security provides request caching mechanisms to preserve a user's original destination URL during the authentication flow. The CookieRequestCache (servlet stack) and CookieServerRequestCache (reactive stack) implementations persist this state in a browser cookie rather than the server-side session. After authentication, the framework reads the stored URL and issues an HTTP redirect to send the user to that location.
The vulnerability stems from missing validation of the redirect target. The affected components store the full absolute URL and trust it on read, allowing arbitrary external destinations. This pattern matches the classic URL Redirection to Untrusted Site weakness tracked as [CWE-601].
Root Cause
The cookie value is decoded and used directly as the redirect target without verifying that the host matches the application's origin. Because cookies are attacker-influenceable through prior interaction with the victim's browser, the post-login redirect can be steered to any URL the attacker chooses.
Attack Vector
An attacker first induces the victim's browser to set the Spring Security request cache cookie to an attacker-controlled URL. This can occur through a crafted link, a cooperating subdomain, or a related cross-site vector. When the victim later authenticates to the legitimate application, Spring Security reads the poisoned cookie and redirects the now-authenticated user to the external site. The destination page can imitate the original application to harvest credentials, session tokens, or OAuth authorization codes. User interaction is required, and the attack succeeds against any application using the cookie-based request cache.
Refer to the Spring Security Advisory CVE-2026-41706 for vendor technical details.
Detection Methods for CVE-2026-41706
Indicators of Compromise
- HTTP 302 responses from Spring Security login endpoints with Location headers pointing to external hosts not on the application's allowlist.
- Inbound requests containing a request cache cookie whose decoded value references a domain different from the application origin.
- Spike in post-login navigation events terminating on unfamiliar third-party domains shortly after /login success.
Detection Strategies
- Inspect application access logs for sequences where a POST /login is immediately followed by a redirect to an off-domain URL.
- Add a web application firewall rule that flags or strips request cache cookies whose decoded URL host does not match the configured application host.
- Audit deployed Spring Security versions across services and flag any running a vulnerable range listed in the advisory.
Monitoring Recommendations
- Centralize authentication and redirect events and alert on anomalous Location header destinations during the login flow.
- Track baseline post-login redirect targets per application and alert on deviations to new external domains.
- Correlate phishing reports from users with login-time redirect telemetry to identify exploitation attempts.
How to Mitigate CVE-2026-41706
Immediate Actions Required
- Upgrade Spring Security to a fixed release line above the affected version ranges as published in the vendor advisory.
- Inventory all applications using CookieRequestCache or CookieServerRequestCache and prioritize internet-facing services.
- Review authentication success handlers and ensure redirect targets are validated against an allowlist of trusted hosts.
Patch Information
Apply the Spring Security maintenance releases referenced in the Spring Security Advisory CVE-2026-41706. Versions outside the affected ranges (5.7.24+, 5.8.26+, 6.3.17+, 6.4.17+, 6.5.11+, 7.0.6+) contain the validation fix.
Workarounds
- Replace CookieRequestCache or CookieServerRequestCache with the default HttpSessionRequestCache until patching is possible.
- Configure a custom RequestCache that validates the stored URL host against an allowlist before returning it to the authentication success handler.
- Implement a servlet filter or ServerWebExchange filter that strips the request cache cookie when its decoded value references an external host.
# Example: pin Spring Security to a fixed version in Maven
# Replace with the appropriate fixed line for your application
mvn versions:set-property -Dproperty=spring-security.version -DnewVersion=6.5.11
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
