CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-41008

Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.002

EPSS Ranking 6.8%

CVSS Severity

CVSS v3 Score 6.1

References

https://spring.io/security/cve-2026-41008

Products affected by CVE-2026-41008

Broadcom » Spring Authorization Server » Version: Any

cpe:2.3:a:broadcom:spring_authorization_server:*
Vmware » Spring Security » Version: 7.0.0

cpe:2.3:a:vmware:spring_security:7.0.0
Vmware » Spring Security » Version: 7.0.1

cpe:2.3:a:vmware:spring_security:7.0.1
Vmware » Spring Security » Version: 7.0.2

cpe:2.3:a:vmware:spring_security:7.0.2
Vmware » Spring Security » Version: 7.0.3

cpe:2.3:a:vmware:spring_security:7.0.3
Vmware » Spring Security » Version: 7.0.4

cpe:2.3:a:vmware:spring_security:7.0.4
Vmware » Spring Security » Version: 7.0.5

cpe:2.3:a:vmware:spring_security:7.0.5

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-41008

Products

Pricing

Contact Us