CVE-2026-41844

Vulnerability

A Spring MVC or Spring WebFlux application that configures a mapping for /** without an explicitly specified view name is vulnerable to an open redirect. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can craft a malicious link that, when accessed by a user, results in a 302 redirect to an arbitrary external host by utilizing the redirect: prefix. For Spring MVC applications with the same preconditions, an attacker can also craft a link that results in an internal redirect via the forward: prefix [1]. User interaction is required as the victim must click the crafted link.

Impact

Successful exploitation allows an attacker to redirect users to arbitrary external websites, potentially for phishing or distributing malicious content. The impact is primarily information disclosure and a loss of integrity, as users may be tricked into visiting malicious sites. The scope of the compromise is limited to the user interacting with the crafted link [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49. No further mitigation steps are necessary beyond upgrading [1].