{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41715", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-22T06:21:37.020Z", "datePublished": "2026-06-09T03:48:41.439Z", "dateUpdated": "2026-06-23T20:46:09.111Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T20:46:09.111Z"}, "title": "Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "The Reactor Netty HTTP client may expose credentials when following a redirect from a secure (HTTPS) to an insecure (HTTP) endpoint, leading to information disclosure."}]}], "affected": [{"vendor": "Spring", "product": "Reactor Netty", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.52", "versionType": "custom"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.36", "versionType": "custom"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.17.1", "versionType": "custom"}, {"status": "affected", "version": "1.3.0", "lessThan": "1.3.15.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\n\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\n\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41715"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-09T13:43:15.959618Z", "id": "CVE-2026-41715", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T13:43:25.100Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-09T13:43:15.959618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-09T13:43:20.979Z"}}], "cna": {"title": "Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "The Reactor Netty HTTP client may expose credentials when following a redirect from a secure (HTTPS) to an insecure (HTTP) endpoint, leading to information disclosure."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Reactor Netty", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.52", "versionType": "custom"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.36", "versionType": "custom"}, {"status": "affected", "version": "1.2.0", "lessThan": "1.2.17.1", "versionType": "custom"}, {"status": "affected", "version": "1.3.0", "lessThan": "1.3.15.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-41715"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\n\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.", "supportingMedia": [{"type": "text/html", "value": "In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\n\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T20:46:09.111Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41715", "state": "PUBLISHED", "dateUpdated": "2026-06-23T20:46:09.111Z", "dateReserved": "2026-04-22T06:21:37.020Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-09T03:48:41.439Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\n\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5."}], "id": "CVE-2026-41715", "lastModified": "2026-06-09T13:49:39.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-09T05:16:35.263", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-41715"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "reactor-netty: Reactor Netty: Credential leakage via HTTP redirects from secure to insecure endpoints", "id": "2486701", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2486701"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-319", "details": ["In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\nAffected versions:\nReactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.", "A flaw was found in Reactor Netty HTTP client. In specific scenarios, a remote attacker could exploit this vulnerability when the HTTP client is explicitly configured to follow redirects from a secure endpoint to an insecure one. This could lead to the leakage of sensitive credentials."], "mitigation": {"lang": "en:us", "value": "Do not configure the Reactor Netty HTTP client to automatically follow redirects, or ensure that redirect following is restricted to same-scheme (HTTPS-to-HTTPS) redirects only."}, "name": "CVE-2026-41715", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "reactor-netty", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "reactor-netty", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-06-09T03:48:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41715\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41715\nhttps://spring.io/security/cve-2026-41715"], "statement": "Red Hat ships reactor-netty as a dependency in Red Hat JBoss Fuse 7 and Red Hat JBoss EAP Expansion Pack (XP). This vulnerability is only exploitable when the Reactor Netty HTTP client is explicitly configured to follow redirects, which is not the default behavior.", "threat_severity": "Moderate"}