Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect
CVE-2026-41715

6.1MEDIUM

Key Information:

Vendor: Spring
Status: Reactor Netty
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-41715?

In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

Affected Version(s)

Reactor Netty 1.0.0 < 1.0.52

Reactor Netty 1.1.0 < 1.1.36

Reactor Netty 1.2.0 < 1.2.18

References

https://spring.io/security/cve-2026-41715

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41715 Data

JSON

Spring

What is CVE-2026-41715?

Affected Version(s)

References

CVSS V3.1

Timeline