Description
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.


More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux
* the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled
* the application adds support for encoded resources resolution
* the resource cache must be empty when the attacker has access to the application


When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Published: 2026-04-29
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring MVC and Spring WebFlux applications are vulnerable to cache poisoning when resolving static resources. The flaw allows an attacker to send crafted requests that inject incorrectly encoded resources into the resource cache under the conditions that the application is using Spring MVC or WebFlux, has caching enabled, adds support for encoded resources, and the cache is initially empty when the attacker has access. This poisoned cache can subsequently break the front‑end of the application for all clients, resulting in a denial of service.

Affected Systems

The vulnerability impacts VMware's Spring Framework, specifically applications built with Spring MVC or Spring WebFlux. No specific product version details are listed, so all deployments using the affected framework components that meet the described conditions are potentially affected.

Risk and Exploitability

The CVSS score is 3.1, and the EPSS score of < 1% indicates a low probability that this vulnerability will be exploited. The flaw is not listed in the CISA KEV catalog. Based on the description, the likelihood of exploitation is low, as it requires the attacker to have network access and the resource cache to be empty. If an attacker meets these conditions, they can send crafted static resource requests to poison the cache, causing a denial of service by breaking the front‑end for clients. No publicly available exploits have been reported, and the conditions for attack are clear but uncommon.

Generated by OpenCVE AI on May 4, 2026 at 13:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring Framework to a version that contains the fix for the cache poisoning issue (CWE-524).
  • If an update is not feasible immediately, disable resource caching or ensure the cache never starts empty to prevent poisoning.
  • Monitor application logs for unusual static resource requests that might indicate an attempted cache poison, and verify that the cache remains healthy.

Generated by OpenCVE AI on May 4, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wg35-8jpf-2xv3 Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
History

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

Mon, 04 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-838
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
Vendors & Products Vmware
Vmware spring Framework

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N'}

 cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Title Static resource cache poisoning in Spring MVC and WebFlux
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N'}

Subscriptions

Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T14:01:42.273Z

Reserved: 2026-01-09T06:54:49.675Z

Link: CVE-2026-22741

cve-icon Vulnrichment

Updated: 2026-04-29T13:19:34.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T12:16:18.487

Modified: 2026-05-04T14:51:05.160

Link: CVE-2026-22741

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-29T11:32:12Z

Links: CVE-2026-22741 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T14:00:20Z

Weaknesses