Skip to main content

Spring Framework CVE-2026-41841

| EUVD-2026-35328 MEDIUM
Use of Cache Containing Sensitive Information (CWE-524)
2026-06-09 vmware GHSA-mq64-j8f9-9gcj
Information Disclosure Java
5.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:25 vuln.today

DescriptionNVD

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

AnalysisAI

Information disclosure in Spring Framework's static resource resolution affects Spring MVC and WebFlux applications across four active release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x). Unauthenticated remote attackers exploiting this flaw can access sensitive cached content served through the static resource handling pipeline, achieving high confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted HTTP request to static resource endpoint
Delivery
Manipulate cache state via specific request sequence
Exploit
Trigger improper cache lookup in resource resolver
Execution
Retrieve sensitive cached resource content
Impact
Exfiltrate disclosed information
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must be using Spring MVC or Spring WebFlux with static resource serving enabled - this is the default in Spring Boot applications unless explicitly disabled via spring.web.resources.add-mappings=false. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (Medium) reflects a real tension in signal interpretation: C:H indicates full confidentiality loss against an affected resource, yet AC:H suppresses the overall score by requiring non-trivial exploitation conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a sequence of crafted HTTP GET requests targeting the static resource resolution endpoint of an internet-facing Spring MVC or WebFlux application, timing or structuring the requests to exploit the cache handling flaw under the AC:H conditions (likely a specific request ordering or cache-state precondition). The flawed resolution logic retrieves and returns cached resource content that the attacker was not authorized to access, such as application configuration fragments or internal files inadvertently reachable through the resource path. …
Remediation The primary remediation is to upgrade to a patched Spring Framework release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41841 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy