Skip to main content

Spring Framework CVE-2026-41840

| EUVD-2026-35327 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 vmware GHSA-83f7-v6px-pp3h
Denial Of Service Java
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:25 vuln.today

DescriptionNVD

Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

AnalysisAI

Denial of Service in Spring WebFlux's multipart request processing allows unauthenticated remote attackers to exhaust server resources across all supported Spring Framework branches. Affects Spring Framework 5.3.x through 7.0.x when applications use the reactive WebFlux stack and expose endpoints that accept multipart data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Spring WebFlux multipart endpoint
Delivery
Craft malformed multipart HTTP request triggering unbounded parsing
Exploit
Send request to target application
Execution
Exhaust JVM heap or event-loop thread resources
Persist
Application becomes unresponsive
Impact
Deny service to legitimate users
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must be built on the Spring WebFlux reactive stack (not Spring MVC); Spring MVC applications are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.9 (Medium) is driven by AV:N (network reachable), AC:H (high attack complexity), PR:N (no privileges required), UI:N (no user interaction), and A:H (complete availability loss), with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a Spring WebFlux application exposing a multipart form or file-upload endpoint and sends a specially crafted multipart HTTP request designed to trigger unbounded resource consumption during parsing. The application's reactive event loop becomes resource-starved - exhausting heap memory or processing capacity - causing the service to become unresponsive or crash, denying service to all legitimate users. …
Remediation Upgrade to a patched Spring Framework release per the VMware/Spring vendor advisory at https://spring.io/security/cve-2026-41840. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41840 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy