CVE-2026-41841 - Vulnerability Details

- Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux

Description

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Published: 2026-06-09

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Spring MVC and WebFlux allows the resolution of static resources to leak application information. The vulnerability arises when the static resource cache interacts with resource handler mappings, enabling an attacker to discover file names, paths, or other internal details that should not be publicly exposed. This constitutes a confidentiality breach, exposing potentially sensitive data such as source file locations or configuration hints.

Affected Systems

The issue affects the Spring Framework across multiple major releases: 5.3.0 to 5.3.48, 6.1.0 to 6.1.27, 6.2.0 to 6.2.18, and 7.0.0 to 7.0.7. The advisory is relevant for all projects that rely on the Spring Framework for handling web requests via Spring MVC or the reactive WebFlux module.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity and the public availability of no EPSS data suggests the exploit likelihood is currently unknown. The vulnerability is remote, accessible over HTTP, and does not require authentication per the description. Although it is not listed in CISA’s KEV catalog, the potential for exposing internal paths makes it a concern for organizations handling sensitive or regulated data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Spring

Spring Framework

unaffected

Version	Status	Constraints
`7.0.0`	affected	< 7.0.8
`6.2.0`	affected	< 6.2.19
`6.1.0`	affected	< 6.1.28
`5.3.0`	affected	< 5.3.49

Configuration 1 [-]

OR	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::

No data.

Vendor Product Confidence Versions

Spring

Spring Framework

100%

Version	Status	Scheme	Platform
`[7.0.0,7.0.8)`	affected	semver	—
`[6.2.0,6.2.19)`	affected	semver	—
`[6.1.0,6.1.28)`	affected	semver	—
`[5.3.0,5.3.49)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Spring Framework to a fixed release – 5.3.49 or later, 6.1.28 or later, 6.2.19 or later, or 7.0.8 or later. This patch removes the logic that leaks static resource information.
If an immediate upgrade is not feasible, isolate the affected application behind a network filter that restricts access to static resource URLs or employ application firewall rules to block suspicious requests targeting unknown or internal paths.
Verify that the web application’s static resource configuration does not expose hidden directories and enforce strict cache policies that prevent path disclosure.

Generated by OpenCVE AI on June 9, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://spring.io/security/cve-2026-41841

History

Tue, 09 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring Framework
CPEs		cpe:2.3:a:vmware:spring_framework::::::::
Vendors & Products		Vmware Vmware spring Framework

Tue, 09 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spring Spring spring Framework
Vendors & Products		Spring Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title		Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux
Weaknesses		CWE-524
References		https://spring.io/security/cve-2026-41841
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Spring Spring Framework

Vmware Spring Framework

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T03:50:20.843Z

Updated: 2026-06-09T13:31:49.850Z

Reserved: 2026-04-22T06:22:01.123Z

Link: CVE-2026-41841

Vulnrichment

Updated: 2026-06-09T13:31:46.207Z

NVD

Status : Analyzed

Published: 2026-06-09T05:16:36.087

Modified: 2026-06-09T20:38:00.927

Link: CVE-2026-41841

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T05:30:36Z

Weaknesses

CWE-524

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object