CVE-2026-41715

MEDIUM NVD

CVSS Score 6.1

Severity MEDIUM

Published Jun 09, 2026

Vendor unknown

Description

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

References

https://spring.io/security/cve-2026-41715