CVE-2026-41715
Reactor Netty HTTP Client Leaks Credentials On Protocol Downgrade Redirect
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
8th
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
| CWE | CWE-522 |
| Vendor | spring |
| Product | reactor netty |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for spring reactor netty
Be the first to know when new medium vulnerabilities affecting spring reactor netty are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Spring / Reactor Netty
1.0.0 < 1.0.52 1.1.0 < 1.1.36 1.2.0 < 1.2.18 1.3.0 < 1.3.6