Open Redirector in spring-security-oauth2
Description
Spring Security OAuth is vulnerable to an open redirector attack that can leak an authorization code via a manipulated redirect_uri parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security OAuth is vulnerable to an open redirector attack that can leak an authorization code via a manipulated redirect_uri parameter.
Vulnerability
Analysis
Spring Security OAuth versions prior to 2.3.6, 2.2.5, 2.1.5, and 2.0.18, as well as older unsupported versions, are susceptible to an open redirector attack. The vulnerability lies in the authorization endpoint, where the redirect_uri parameter is not properly validated. A malicious user or attacker can craft a request using the authorization code grant type and specify a manipulated redirection URI. This can cause the authorization server to redirect the resource owner's user-agent to a URI under the control of the attacker, with the authorization code leaked in the process [1][2].
Exploitation
An attacker can exploit this by preparing a carefully crafted link that targets the authorization endpoint of an OAuth provider running a vulnerable version. The attack requires no authentication beyond the normal OAuth flow. The manipulated redirect_uri parameter directs the server to send the authorization code to an attacker-controlled endpoint. The resource owner must be tricked into initiating the OAuth flow through the crafted link, which then leaks the authorization code to the attacker [1][2].
Impact
If successful, the attacker obtains a valid authorization code. With this code, the attacker can exchange it for an access token to the resource owner's account on the client application (the OAuth client). This could lead to unauthorized access to user data and resources [1][2].
Mitigation
Users should upgrade to patched versions: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, or 2.0.18. Older unsupported versions must be migrated to a supported release. No workaround is provided for the open redirector; upgrading is the recommended remediation [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.0.0.RELEASE, < 2.0.18.RELEASE | 2.0.18.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.1.0.RELEASE, < 2.1.5.RELEASE | 2.1.5.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.2.0.RELEASE, < 2.2.5.RELEASE | 2.2.5.RELEASE |
org.springframework.security.oauth:spring-security-oauthMaven | >= 2.3.0.RELEASE, < 2.3.6.RELEASE | 2.3.6.RELEASE |
Affected products
2- ghsa-coordsRange: >= 2.0.0.RELEASE, < 2.0.18.RELEASE
- Range: 2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-mmf6-6597-3v6mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11269ghsaADVISORY
- packetstormsecurity.com/files/153299/Spring-Security-OAuth-2.3-Open-Redirection.htmlghsax_refsource_MISCWEB
- pivotal.io/security/cve-2019-11269ghsax_refsource_CONFIRMWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.