Description
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to send specially crafted multipart HTTP requests to a Spring WebFlux application. The processing of these requests can exhaust server resources, leading to a denial of service. This weakness is categorized as CWE‑400 (Uncontrolled Resource Consumption), and can affect the availability of the affected application while it is under attack.

Affected Systems

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are vulnerable. Any application deployed with these releases that implements Spring WebFlux is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity. No EPSS score is available, but the vulnerability is not listed in CISA KEV. The attack vector is likely remote via unauthenticated HTTP requests. An adversary only needs to send malformed multipart data; no special privileges or other conditions are mentioned. The impact is limited to the availability of the affected application, with no evidence of confidentiality or integrity compromise.

Generated by OpenCVE AI on June 9, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a version that fixes the issue (5.3.49 or newer, 6.1.28 or newer, 6.2.19 or newer, 7.0.8 or newer).
  • Configure multipart request size limits in Spring (e.g., spring.http.multipart.max-file-size, spring.http.multipart.max-request-size) to bound resource consumption.
  • Deploy the application behind a reverse proxy or API gateway that enforces strict request size and rate limits to mitigate potential abuse.

Generated by OpenCVE AI on June 9, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41840 cve-icon cve-icon
History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Denial of Service via Multipart Requests in WebFlux
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring Framework
Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:31:11.330Z

Reserved: 2026-04-22T06:22:01.123Z

Link: CVE-2026-41840

cve-icon Vulnrichment

Updated: 2026-06-09T13:31:08.172Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T05:16:35.967

Modified: 2026-06-09T20:38:34.420

Link: CVE-2026-41840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T06:00:15Z

Weaknesses