CVE-2026-41008
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
The vulnerability in Spring Security Authorization Server is due to insufficient validation of the request_uri parameter in the authorization endpoint. An attacker can craft a malicious authorization request with an invalid request_uri and an arbitrary, unvalidated redirect_uri, leading to an Open Redirect vulnerability.
Risk Assessment
The risk involves the possibility of redirecting users to a malicious site, which can be exploited for credential theft or phishing attacks.
Recommendation
It is recommended to immediately update Spring Security to version 7.0.6 or later, and Spring Authorization Server to version 1.5.8 or later. If an update is not possible, implement additional validation of the redirect_uri parameter on the server side.
Original NVD description (English source)
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.

