CVE-2026-41841
Received Received - Intake
Information Disclosure in Spring Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41841
EUVD
EUVD-2026-35328
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41841 is a medium-severity information disclosure vulnerability affecting Spring Framework versions 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48.

The issue occurs in applications using Spring MVC or Spring WebFlux that have multiple resource handlers configured for different locations, where at least one handler requires authentication and a shared cache is used.

An attacker can exploit this vulnerability by accessing a protected resource if a publicly available resource with the same name was resolved first and cached, leading to unauthorized information disclosure.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of protected information in Spring MVC or WebFlux applications.

If an attacker accesses a publicly available resource first and it gets cached, they may then be able to access a protected resource with the same name without proper authentication.

This could expose sensitive data that should be restricted, potentially compromising confidentiality.

Mitigation Strategies

The primary and immediate step to mitigate this vulnerability is to upgrade the Spring Framework to the fixed versions.

  • Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial) for 7.0.x versions.
  • Upgrade to Spring Framework 6.2.19 (OSS) or 6.2.18.1 (Commercial) for 6.2.x versions.
  • Upgrade to Spring Framework 6.1.28 (Commercial) for 6.1.x versions.
  • Upgrade to Spring Framework 5.3.49 (Commercial) for 5.3.x versions.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

CVE-2026-41841 is an information disclosure vulnerability in Spring Framework that could allow unauthorized access to protected resources due to caching issues. Such unauthorized disclosure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart