CVE-2026-41715
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. This occurs only if the HTTP client has been configured to follow redirects.
Risk Assessment
Credential leakage may lead to unauthorized access to organizational resources, posing a significant security threat.
Recommendation
It is recommended to avoid configuring the HTTP client to follow redirects or to update to the latest version to minimize risk.
Original NVD description (English source)
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.

