Open Redirect Vulnerability in React Router Affects Multiple Versions
CVE-2026-40181

6.6MEDIUM

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-40181?

An open redirect vulnerability in React Router allows certain URLs passed to the redirect function to be redirected to an external domain. This occurs when path values starting with '//' are interpreted as protocol-relative URLs, potentially leading to unvalidated redirects. The impact of this vulnerability is contingent on the application's validation before executing the redirect. Applications utilizing Declarative Mode with are not affected. The issue has been addressed in the latest versions 7.14.1 and 6.30.4.

Affected Version(s)

react-router >= 7.0.0, < 7.14.1 < 7.0.0, 7.14.1

react-router >= 6.7.0, < 6.30.4 < 6.7.0, 6.30.4

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40181 Data

JSON

Remix-run

What is CVE-2026-40181?

Affected Version(s)

References

CVSS V4

Timeline