Skip to main content

Spring Framework EUVD-2026-35342

| CVE-2026-41853 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-06-09 vmware GHSA-cjpg-rgq5-fr37
Information Disclosure Java Request Smuggling
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:21 vuln.today

DescriptionNVD

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

AnalysisAI

Multipart request smuggling in Spring Framework's MVC and WebFlux components exposes applications to HTTP request manipulation via CWE-444. Unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N per CVSS) can exploit inconsistent multipart boundary parsing to smuggle malformed HTTP requests, achieving low-integrity impact against affected deployments. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted multipart POST to exposed endpoint
Delivery
Exploit boundary parsing inconsistency (CWE-444)
Exploit
Smuggle embedded HTTP request within body
Execution
Proxy or load balancer forwards smuggled request
Persist
Bypass application-layer security control or forge routing header
Impact
Achieve unauthorized low-integrity write or request manipulation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must be running Spring MVC or Spring WebFlux and must have multipart request processing active - meaning a multipart-capable endpoint exists (e.g., a file upload form, an API accepting multipart/form-data). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) reflects a limited but accessible attack surface: AV:N (network-reachable), AC:L (no special conditions), PR:N (no authentication required), UI:N (no user interaction), with scope unchanged and impact confined to low integrity (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request with a malformed multipart boundary to a Spring MVC or WebFlux endpoint. The inconsistent boundary interpretation causes the server to misparse the request body, smuggling an embedded secondary HTTP request that may be forwarded by an upstream proxy or load balancer with attacker-controlled headers or routing. …
Remediation Upgrade to the next patched release in your active Spring Framework branch as documented in the vendor advisory at https://spring.io/security/cve-2026-41853. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

EUVD-2026-35342 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy