CVE-2026-41847
Analyzed Analyzed - Analysis Complete

Security Bypass in Spring WebFlux via Kotlin Router DSL

Publication date: 2026-06-09

Last updated on: 2026-06-11

Assigner: VMware

Description
Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-11
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-41847
EUVD
EUVD-2026-35335

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.49 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41847 is a security vulnerability in the Spring Framework that affects applications using Spring WebFlux with the Kotlin Router DSL.

The vulnerability occurs when a filter modifies or replaces the ServerRequest (for example, using ServerRequestWrapper) before passing it to the next handler. In this case, the security-related changes made by the filter are discarded silently, and the downstream handler receives the original, unmodified request.

As a result, security checks that rely on the modified request become ineffective, allowing a security bypass.

Impact Analysis

This vulnerability can lead to a security bypass in Spring WebFlux applications using the Kotlin Router DSL.

Because security filters that modify the ServerRequest are ignored downstream, unauthorized or malicious requests might bypass security checks.

This can result in unauthorized access or actions within the affected application, potentially compromising confidentiality and integrity.

Detection Guidance

This vulnerability occurs specifically in Spring WebFlux applications using the Kotlin Router DSL along with a filter that modifies or replaces the ServerRequest before passing it to the next handler. Detection involves reviewing your application code to identify usage of Spring WebFlux with the Kotlin Router DSL and filters that modify ServerRequest objects.

There are no specific network or system commands provided to detect this vulnerability automatically.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade the Spring Framework to version 5.3.49 or later.

No additional mitigation steps are required after upgrading.

Compliance Impact

The provided information does not specify how the CVE-2026-41847 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart