View all Vulnerabilities

CVE-2026-41844

URL Redirect/Open Redirect
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing the core inversion-of-control container along with the Spring MVC (servlet-based) and Spring WebFlux (reactive) web stacks. Both web stacks support view resolution, where a controller returns a logical view name that a ViewResolver turns into a rendered response. When a controller does not return an explicit view name, Spring derives a default view name from the incoming request path: DefaultRequestToViewNameTranslator does this in Spring MVC and ViewResolutionResultHandler does this in Spring WebFlux.

A medium-severity vulnerability (CVE-2026-41844) has been identified in that default view-name resolution. Spring's UrlBasedViewResolver treats the special redirect: prefix in a view name as an instruction to issue an HTTP redirect, and the forward: prefix (Spring MVC only) as an instruction to perform an internal RequestDispatcher forward. Because the default view name is derived verbatim from the request path, an application that maps a wildcard path such as /** to a handler that does not specify an explicit view name will translate a request path beginning with redirect: followed by an external URL into a redirect view. The resolver then issues a 302 redirect to the attacker-controlled external host. A victim who follows a crafted link is silently redirected off-site, which enables phishing and credential-harvesting attacks. In Spring MVC the same path-to-view-name translation also honors the forward: prefix, allowing an attacker to coerce an internal forward to an unintended server-side resource.

Per OWASP, unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause it to redirect the request to a URL contained within untrusted input; by modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. That is precisely the failure mode here: the untrusted request path flows unvalidated into the view name that drives redirect: and forward: handling.

The CVSS v3.1 base score for this vulnerability is 4.2 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The attack vector is Network, attack complexity is High because exploitation requires the application to use a wildcard mapping with no explicit view name, no privileges are required, and User Interaction is Required because a victim must follow the crafted link. The scope is Unchanged, and the confidentiality and integrity impacts are Low (an off-site redirect or an unintended internal forward); there is no availability impact.

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7.

Details

Module Info

Vulnerability Info

The vulnerability is in the default view-name resolution that Spring performs when a controller does not return an explicit view name. In Spring MVC this is DefaultRequestToViewNameTranslator.getViewName(HttpServletRequest) in the spring-webmvc module; in Spring WebFlux it is ViewResolutionResultHandler.getDefaultViewName(ServerWebExchange) in the spring-webflux module. Both build the view name directly from the request path and then hand it to a UrlBasedViewResolver, which interprets the redirect: and (for MVC) forward: prefixes as redirect and forward instructions respectively.

Pre-fix, the Spring MVC translator returned the path-derived view name with no inspection of its prefix:

@Override
public String getViewName(HttpServletRequest request) {
    String path = ServletRequestPathUtils.getCachedPathValue(request);
    return (this.prefix + transformPath(path) + this.suffix);
}

The Spring WebFlux handler likewise derived the default view name from the request path with no prefix check:

private String getDefaultViewName(ServerWebExchange exchange) {
    String path = exchange.getRequest().getPath().pathWithinApplication().value();
    if (path.startsWith("/")) {
        path = path.substring(1);
    }
    if (path.endsWith("/")) {
        path = path.substring(0, path.length() - 1);
    }
    return StringUtils.stripFilenameExtension(path);
}


When such a handler is reached through a wildcard mapping like /**, the attacker controls the path, and therefore controls the prefix of the resulting view name. A request whose path is redirect: followed by an external URL produces a view name with that same redirect: prefix, which UrlBasedViewResolver resolves to a RedirectView and emits as a 302 to the external host. In Spring MVC a request whose path begins with forward: similarly produces a server-side forward to an unintended resource.

The default view-name translation behavior predates the advisory's listed range. DefaultRequestToViewNameTranslator has existed since Spring 2.0 and ViewResolutionResultHandler since Spring 5.0, and both derived the default view name from the request path without prefix validation throughout. The advisory's listed floor of 5.3.0 reflects Spring's currently-supported scope; older lines, including the lines covered by NES support, are also affected through the same Spring MVC code path.

Steps To Reproduce

1. Build a Spring MVC (or Spring WebFlux) application on an affected version (for example Spring Framework 5.3.48) with a controller mapped to a wildcard path that returns no explicit view name:

   @Controller
   public class CatchAllController {

       @GetMapping("/**")
       public void handle() {
           // no explicit view name: the framework derives one from the request path
       }
   }


2. Configure a UrlBasedViewResolver (or any subclass, such as InternalResourceViewResolver or ThymeleafViewResolver) so that view names are resolved through the standard view-resolution chain. This is the default in typical Spring MVC and WebFlux setups.

3. Send a request whose path begins with the redirect: prefix:

   GET /redirect:https://attacker.example/ HTTP/1.1
   Host: victim.example

4. Observe that the application responds with a 302 redirect (a Location header pointing at the attacker-controlled host):

 HTTP/1.1 302 Found
   Location: https://attacker.example/

5. For Spring MVC, repeat with a forward: prefix (for example GET /forward:/WEB-INF/internal-page) and observe that the request is forwarded internally to the named resource.

6. After upgrading to a fixed version (Spring Framework 6.2.19 or 7.0.8), repeat steps 3 through 5. The application now responds with HTTP 400 (Bad Request) and a message rejecting the path that carries a redirect: or forward: prefix, and no redirect or forward is performed.

Mitigation

Only recent versions of Spring Framework receive community support and updates. For this vulnerability there is no public open-source fix for the 5.3.x or 6.1.x lines: the open-source fixes ship only in Spring Framework 6.2.19 and 7.0.8. The 5.3.x line in particular is past its open-source end-of-life and will not receive further community updates.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported open-source version of Spring Framework. The open-source fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line).
  • As an interim hardening step on a vulnerable deployment, avoid wildcard handler mappings (/**) that fall through to default view-name resolution, and ensure controllers return explicit, application-controlled view names rather than relying on path-derived defaults. Front the application with a proxy or filter that rejects request paths containing a redirect: or forward: segment.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

  • Discovered internally by the Spring Framework team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41844
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
URL Redirect/Open Redirect
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.