CVE-2026-22735
Received Received - Intake
Stream Corruption in Spring MVC/WebFlux SSE Causes Data Integrity Risk

Publication date: 2026-03-20

Last updated on: 2026-04-23

Assigner: VMware

Description
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE).Β This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22735
EUVD
EUVD-2026-13404
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework to 5.3.47 (exc)
vmware spring_framework From 6.1.0 (inc) to 6.1.26 (exc)
vmware spring_framework From 6.2.0 (inc) to 6.2.17 (exc)
vmware spring_framework From 7.0.0 (inc) to 7.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22735 is a vulnerability in Spring MVC and Spring WebFlux applications that use Server-Sent Events (SSE) to stream data to clients.

The vulnerability occurs when an attacker controls the streamed data sent to other users and the application sends plain text messages instead of structured formats like JSON.

Under these conditions, the attacker can corrupt the SSE data stream, which may cause frontend application state corruption or display malicious information to other users.

  • Affected Spring Framework versions include 7.0.0 through 7.0.5, 6.2.0 through 6.2.16, 6.1.0 through 6.1.25, and 5.3.0 through 5.3.46.

Mitigation involves upgrading to fixed versions such as 7.0.6, 6.2.17, 6.1.26, or 5.3.47 depending on the branch.

Impact Analysis

This vulnerability can impact you by allowing an attacker to corrupt the Server-Sent Events data stream in your Spring MVC or WebFlux application.

Such corruption can lead to frontend application state corruption or cause malicious information to be displayed to other users.

The vulnerability does not affect confidentiality or availability but can cause integrity issues in the streamed data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The primary mitigation step is to upgrade the affected Spring Framework versions to the fixed releases.

  • Upgrade 7.0.x versions to 7.0.6 (Open Source)
  • Upgrade 6.2.x versions to 6.2.17 (Open Source)
  • Upgrade 6.1.x versions to 6.1.26 (Commercial)
  • Upgrade 5.3.x versions to 5.3.47 (Commercial)

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart