CVE-2026-22741
Cache Poisoning in Spring MVC/WebFlux Static Resource Handling Causes DoS
Publication date: 2026-04-29
Last updated on: 2026-05-04
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_framework | to 5.3.48 (exc) |
| vmware | spring_framework | From 6.1.0 (inc) to 6.1.27 (exc) |
| vmware | spring_framework | From 6.2.0 (inc) to 6.2.18 (exc) |
| vmware | spring_framework | From 7.0.0 (inc) to 7.0.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-524 | The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service by breaking the front-end application for clients.
Specifically, an attacker can poison the resource cache with resources using the wrong encoding, causing the application to serve corrupted or invalid static resources.
Can you explain this vulnerability to me?
CVE-2026-22741 is a vulnerability in Spring MVC and Spring WebFlux applications related to static resource cache poisoning.
The vulnerability occurs when all of the following conditions are met: the application uses Spring MVC or Spring WebFlux; resource chain support is configured with caching enabled; encoded resource resolution is supported; and the resource cache is initially empty when an attacker gains access.
Under these circumstances, an attacker can send malicious requests that poison the resource cache with incorrectly encoded resources, which can disrupt the front-end application for clients.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Spring Framework to a fixed version.
- Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
- Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
- Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
- Upgrade 5.3.x versions to 5.3.48 or later (Commercial).
No additional mitigation steps are required beyond upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-22741 is a vulnerability in Spring MVC and Spring WebFlux applications related to static resource cache poisoning.
This vulnerability occurs when all the following conditions are met: the application uses Spring MVC or Spring WebFlux; resource chain support is configured with caching enabled; encoded resource resolution is supported; and the resource cache is initially empty when an attacker gains access.
Under these circumstances, an attacker can send malicious requests that poison the resource cache with incorrectly encoded resources.
This cache poisoning can cause a denial of service by disrupting the front-end application for clients.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition.
An attacker can poison the resource cache with resources using the wrong encoding, which breaks the front-end application for clients.
This disruption affects availability but does not impact confidentiality or integrity.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Spring Framework to a fixed version.
- Upgrade 7.0.x versions to 7.0.7 or later (Open Source).
- Upgrade 6.2.x versions to 6.2.18 or later (Open Source).
- Upgrade 6.1.x versions to 6.1.27 or later (Commercial).
- Upgrade 5.3.x versions to 5.3.48 or later (Commercial).
No additional mitigation steps are required beyond upgrading.