Home
MEDIUM: 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NDefault status
unaffected
1.0.0 (custom) before 1.0.52
affected
1.1.0 (custom) before 1.1.36
affected
1.2.0 (custom) before 1.2.18
affected
1.3.0 (custom) before 1.3.6
affected
Description
In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5.
Problem types
CWE-522: Insufficiently Protected Credentials
Product status
1.0.0 (custom) before 1.0.52
1.1.0 (custom) before 1.1.36
1.2.0 (custom) before 1.2.18
1.3.0 (custom) before 1.3.6
References
spring.io/security/cve-2026-41715