CVE-2026-41841

Analyzed Analyzed - Analysis Complete

Information Disclosure in Spring Framework

Publication date: 2026-06-09

Last updated on: 2026-06-27

Assigner: VMware

Description

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-27

Generated

2026-06-29

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-41841

EUVD

EUVD-2026-35328

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	spring_framework	From 5.3.0 (inc) to 5.3.49 (exc)
vmware	spring_framework	From 6.1.0 (inc) to 6.1.28 (exc)
vmware	spring_framework	From 6.2.0 (inc) to 6.2.19 (exc)
vmware	spring_framework	From 7.0.0 (inc) to 7.0.8 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-524	The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Attack-Flow Graph

Detection Guidance

This vulnerability affects Spring MVC and WebFlux applications using certain versions of the Spring Framework with multiple resource handlers and shared caching. Detection involves identifying if your application is running an affected Spring Framework version and if it uses multiple resource handlers with shared caches.

Since the vulnerability is related to the resolution and caching of static resources, there are no specific network or system commands provided to detect exploitation attempts or presence of the vulnerability.

The recommended approach is to verify the Spring Framework version in use and upgrade to the fixed versions as listed in the advisory.

Executive Summary

CVE-2026-41841 is a medium-severity information disclosure vulnerability affecting Spring Framework versions 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48.

The issue occurs in applications using Spring MVC or Spring WebFlux that have multiple resource handlers configured for different locations, where at least one handler requires authentication and a shared cache is used.

An attacker can exploit this vulnerability by accessing a protected resource if a publicly available resource with the same name was resolved first and cached, leading to unauthorized information disclosure.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of protected information in Spring MVC or WebFlux applications.

If an attacker accesses a publicly available resource first and it gets cached, they may then be able to access a protected resource with the same name without proper authentication.

This could expose sensitive data that should be restricted, potentially compromising confidentiality.

Mitigation Strategies

The primary and immediate step to mitigate this vulnerability is to upgrade the Spring Framework to the fixed versions.

Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial) for 7.0.x versions.
Upgrade to Spring Framework 6.2.19 (OSS) or 6.2.18.1 (Commercial) for 6.2.x versions.
Upgrade to Spring Framework 6.1.28 (Commercial) for 6.1.x versions.
Upgrade to Spring Framework 5.3.49 (Commercial) for 5.3.x versions.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

CVE-2026-41841 is an information disclosure vulnerability in Spring Framework that could allow unauthorized access to protected resources due to caching issues. Such unauthorized disclosure of sensitive information could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

However, the provided information does not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Hi! I’m here to help you understand CVE-2026-41841. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70