Affected versions:
Spring Security 7.0.0 through 7.0.5.
Spring Authorization Server 1.5.0 through 1.5.7.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Spring | Spring Security | unaffected |
|
||||||
| Spring | Spring Authorization Server | unaffected |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
No data.
Project Subscriptions
No data.
No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
| Link | Providers |
|---|---|
| https://spring.io/security/cve-2026-41008 |
|
Wed, 10 Jun 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7. | |
| Title | Spring Security Authorization Server Open Redirect via request_uri | |
| Weaknesses | CWE-601 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: vmware
Published:
Updated: 2026-06-09T23:47:07.292Z
Reserved: 2026-04-16T02:19:16.426Z
Link: CVE-2026-41008
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-06-10T00:16:50.427
Modified: 2026-06-10T00:16:50.427
Link: CVE-2026-41008
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-10T02:00:13Z