Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Requires local OS account (PR:L) and write access to a locally accessible static path (AV:L); partial C/I/A reflect limited message-data exposure without full system compromise.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.
Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
AnalysisAI
Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged attacker on the same host to hijack the embedded Apache ActiveMQ Artemis broker's data directory before the application starts. By pre-creating the predictable static path or placing a symlink at that location, the attacker can redirect broker persistence writes - including application messages, journal files, and bindings - to an attacker-controlled filesystem location, yielding partial confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis, but the vulnerability spans five active Spring Boot release trains (2.7.x through 4.0.x), broadening aggregate exposure.
Technical ContextAI
The flaw resides in org.springframework.boot.autoconfigure.jms.artemis.ArtemisEmbeddedConfigurationFactory, the Spring Boot auto-configuration component responsible for initializing an embedded Apache ActiveMQ Artemis broker. When the spring.artemis.embedded.data-directory property is absent, the factory falls back to a fixed, static filesystem path for the broker's persistence store. CWE-377 (Insecure Temporary File) describes this root cause class: using a predictable name or path in a shared filesystem location enables race-condition or path pre-positioning attacks, where an adversary plants a directory entry or symlink before the legitimate application claims it. The Artemis broker writes journal segments, bindings stores, and large message data to this directory at startup, all of which become accessible or corruptible if the path is redirected. The affected CPE is cpe:2.3:a:spring:spring_boot:*:*:*:*:*:*:*:*, covering all listed version ranges. The vulnerability is only relevant when the embedded Artemis broker is in use - external broker configurations are unaffected.
RemediationAI
The primary fix is to upgrade Spring Boot to a patched release; consult the vendor advisory at https://spring.io/security/cve-2026-41001 for confirmed fix versions, as exact patched release numbers are not independently confirmed from the available input data beyond the stated affected ranges. As an immediate workaround that fully eliminates the attack surface without disabling the embedded broker, explicitly set the spring.artemis.embedded.data-directory property in application.properties or application.yml to a non-predictable, application-specific path (e.g., a unique subdirectory under the application's working directory owned exclusively by the service account, with OS permissions 0700). This removes the predictable path condition entirely. An alternative compensating control is to tighten filesystem permissions on the parent directory of the default static path so only the application's OS user can create entries there; however, this may not be feasible in shared environments and does not address the root cause. Consider switching to an external Artemis broker if the embedded mode is not strictly required, which eliminates this class of risk entirely.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-377 – Insecure Temporary File
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36211
GHSA-ggg2-9786-hwc8