Description
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.

Affected versions:
Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
Published: 2026-06-11
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Boot’s ArtemisEmbeddedConfigurationFactory assigns a fixed, static path to the embedded Artemis message broker’s data directory when no explicit path is configured. A local attacker who can create that directory before the application starts can either pre‑populate a predictable directory or place a symlink in its place. This allows the attacker to influence the broker’s data storage or potentially inject malicious data. The resulting compromise is limited to the local host and can affect confidentiality or integrity of messages handled by Artemis.

Affected Systems

Vendors: Spring. Product: Spring Boot. Affected versions include Spring Boot 2.7.0 through 2.7.33, 3.3.0 through 3.3.19, 3.4.0 through 3.4.16, 3.5.0 through 3.5.14, and 4.0.0 through 4.0.6.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. Exploitation requires local access; the absence of a public EPSS score and lack of KEV listing suggest the exploit has not yet been widely observed. Nonetheless, an attacker with local privileges can execute the described attack path by creating or symlinking the expected directory before the application launches, leading to potential data tampering or unauthorized configuration changes.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Spring Boot release that resolves the predictable directory issue (e.g., 4.0.7 or later, or the most recent 3.x and 2.x releases).
  • Configure an explicit Artemis data directory in the application.properties or application.yml file to override the default path.
  • Run the application under a dedicated, non‑privileged user and restrict filesystem permissions on the data directory to prevent unauthorized creation of symlinks or files.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41001 cve-icon cve-icon
History

Thu, 11 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Boot
Vendors & Products Spring
Spring spring Boot

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
Title Predictable Temp Directory in Artemis Auto-configuration
Weaknesses CWE-377
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Spring Spring Boot
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:28.663Z

Reserved: 2026-04-16T02:19:12.970Z

Link: CVE-2026-41001

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:28.163

Modified: 2026-06-11T07:16:28.163

Link: CVE-2026-41001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses