Skip to main content

Spring Boot CVE-2026-41001

| EUVDEUVD-2026-36211 MEDIUM
Insecure Temporary File (CWE-377)
2026-06-11 vmware GHSA-ggg2-9786-hwc8
5.3
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
5.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.3 MEDIUM

Requires local OS account (PR:L) and write access to a locally accessible static path (AV:L); partial C/I/A reflect limited message-data exposure without full system compromise.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:06 vuln.today

DescriptionCVE.org

Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.

Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.

AnalysisAI

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.

Technical ContextAI

The flaw resides in org.springframework.boot.autoconfigure.jms.artemis.ArtemisEmbeddedConfigurationFactory, the Spring Boot auto-configuration component responsible for initializing an embedded Apache ActiveMQ Artemis broker. When the spring.artemis.embedded.data-directory property is absent, the factory falls back to a fixed, static filesystem path for the broker's persistence store. CWE-377 (Insecure Temporary File) describes this root cause class: using a predictable name or path in a shared filesystem location enables race-condition or path pre-positioning attacks, where an adversary plants a directory entry or symlink before the legitimate application claims it. The Artemis broker writes journal segments, bindings stores, and large message data to this directory at startup, all of which become accessible or corruptible if the path is redirected. The affected CPE is cpe:2.3:a:spring:spring_boot:*:*:*:*:*:*:*:*, covering all listed version ranges. The vulnerability is only relevant when the embedded Artemis broker is in use - external broker configurations are unaffected.

RemediationAI

The primary fix is to upgrade Spring Boot to a patched release; consult the vendor advisory at https://spring.io/security/cve-2026-41001 for confirmed fix versions, as exact patched release numbers are not independently confirmed from the available input data beyond the stated affected ranges. As an immediate workaround that fully eliminates the attack surface without disabling the embedded broker, explicitly set the spring.artemis.embedded.data-directory property in application.properties or application.yml to a non-predictable, application-specific path (e.g., a unique subdirectory under the application's working directory owned exclusively by the service account, with OS permissions 0700). This removes the predictable path condition entirely. An alternative compensating control is to tighten filesystem permissions on the parent directory of the default static path so only the application's OS user can create entries there; however, this may not be feasible in shared environments and does not address the root cause. Consider switching to an external Artemis broker if the embedded mode is not strictly required, which eliminates this class of risk entirely.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-41001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy