CVE-2026-41706

Vulnerability

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie. In affected versions, the full absolute URL is stored and used without validation as the post-login redirect target. This affects Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5 [1].

Exploitation

An application is vulnerable if it uses CookieRequestCache or CookieServerRequestCache and an attacker can influence the REDIRECT_URI cookie. This influence can be achieved through methods like cookie injection via a related subdomain, an HTTP response splitting attack, or a protocol downgrade from HTTPS to HTTP. An attacker needs to manipulate the cookie value before the user is redirected post-login [1].

Impact

When exploited, an attacker can cause an authenticated user to be redirected to an attacker-controlled URL immediately after a successful login. This can enable phishing attacks by tricking users into visiting malicious sites while appearing to be on a legitimate application [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6. No further mitigation steps are necessary [1].