Description
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.


More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux
* the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled
* the application adds support for encoded resources resolution
* the resource cache must be empty when the attacker has access to the application


When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Published: 2026-04-29
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring MVC and Spring WebFlux applications are vulnerable to cache poisoning when resolving static resources. The flaw allows an attacker to send crafted requests that inject incorrectly encoded resources into the resource cache under the conditions that the application is using Spring MVC or WebFlux, has caching enabled, adds support for encoded resources, and the cache is initially empty when the attacker has access. This poisoned cache can subsequently break the front‑end of the application for all clients, resulting in a denial of service.

Affected Systems

The vulnerability impacts VMware's Spring Framework, specifically applications built with Spring MVC or Spring WebFlux. No specific product version details are listed, so all deployments using the affected framework components that meet the described conditions are potentially affected.

Risk and Exploitability

The CVSS score is 3.1, and the EPSS score of < 1% indicates a low probability that this vulnerability will be exploited. The flaw is not listed in the CISA KEV catalog. Based on the description, the likelihood of exploitation is low, as it requires the attacker to have network access and the resource cache to be empty. If an attacker meets these conditions, they can send crafted static resource requests to poison the cache, causing a denial of service by breaking the front‑end for clients. No publicly available exploits have been reported, and the conditions for attack are clear but uncommon.

Generated by OpenCVE AI on April 30, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring Framework to a version that contains the fix for the cache poisoning issue (CWE-524).
  • If an update is not feasible immediately, disable resource caching or ensure the cache never starts empty to prevent poisoning.
  • Monitor application logs for unusual static resource requests that might indicate an attempted cache poison, and verify that the cache remains healthy.

Generated by OpenCVE AI on April 30, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
Vendors & Products Vmware
Vmware spring Framework

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N'}

 cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Title Static resource cache poisoning in Spring MVC and WebFlux
Weaknesses CWE-524
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N'}

Subscriptions

Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-29T14:01:42.273Z

Reserved: 2026-01-09T06:54:49.675Z

Link: CVE-2026-22741

cve-icon Vulnrichment

Updated: 2026-04-29T13:19:34.363Z

cve-icon NVD

Status : Received

Published: 2026-04-29T12:16:18.487

Modified: 2026-04-29T15:16:05.140

Link: CVE-2026-22741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:00:15Z

Weaknesses