Description
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests.
Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring WebFlux applications are vulnerable to Denial of Service attacks when processing multipart requests, and attackers can send specially crafted multipart HTTP requests that exhaust server resources. This weakness is categorized as CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak), and can affect the availability of the affected application while it is under attack.

Affected Systems

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are vulnerable. Any application deployed with these releases that implements Spring WebFlux is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity. The EPSS score is below 1%, indicating a very low but non-zero likelihood of exploitation, but the vulnerability is not listed in CISA KEV. The attack vector is likely remote via unauthenticated HTTP requests. An adversary only needs to send malformed multipart data; no special privileges or other conditions are mentioned. The impact is limited to the availability of the affected application, with no evidence of confidentiality or integrity compromise.

Generated by OpenCVE AI on June 20, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a version that fixes the issue (5.3.49 or newer, 6.1.28 or newer, 6.2.19 or newer, 7.0.8 or newer).
  • Configure multipart request size limits in Spring (e.g., spring.http.multipart.max-file-size, spring.http.multipart.max-request-size) to bound resource consumption.
  • Deploy the application behind a reverse proxy or API gateway that enforces strict request size and rate limits to mitigate potential abuse.

Generated by OpenCVE AI on June 20, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41840 cve-icon cve-icon
History

Sat, 20 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title Spring Framework Denial of Service via Multipart Requests in WebFlux

Sat, 20 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
Weaknesses CWE-401

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Denial of Service via Multipart Requests in WebFlux
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring Framework
Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-20T00:11:52.160Z

Reserved: 2026-04-22T06:22:01.123Z

Link: CVE-2026-41840

cve-icon Vulnrichment

Updated: 2026-06-09T13:31:08.172Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T05:16:35.967

Modified: 2026-06-09T20:38:34.420

Link: CVE-2026-41840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T01:30:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-401

    Missing Release of Memory after Effective Lifetime