Description
Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring MVC and WebFlux applications may allow attackers to perform path traversal when resolving versioned static resources. The vulnerability is triggered by crafting URLs that map to internal files outside the intended web root. If successful, it can expose any file readable by the application process, potentially leaking sensitive configuration or source code. This flaw is categorized as CWE‑22, reflecting improper path handling.

Affected Systems

Affected versions include Spring Framework 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7. The core issue is present in the static resource resolver for both MVC and WebFlux modules across these releases.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. EPSS is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. The path traversal could be achieved by any user who can send a request to the application, so authentication is not required. Attackers may abuse the flaw without additional privileges, making the risk context‑dependent on the application’s exposure to external traffic. Organizations should treat this as a moderate risk until a fix is applied.

Generated by OpenCVE AI on June 9, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to at least 5.3.49, 6.1.28, 6.2.19, or 7.0.8, whichever matches your environment.
  • If an immediate upgrade is not possible, restrict static resource path mapping by configuring the resource handler to allow only whitelisted directories or disable versioned static resource support.
  • Run the application with the minimum file system permissions required, limiting the ability of the process to read sensitive files, and monitor for anomalous static resource requests.

Generated by OpenCVE AI on June 9, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41843 cve-icon cve-icon
History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Path Traversal via Versioned Static Resources in Spring MVC and WebFlux
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Spring Spring Framework
Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:32:33.706Z

Reserved: 2026-04-22T06:22:01.123Z

Link: CVE-2026-41843

cve-icon Vulnrichment

Updated: 2026-06-09T13:32:30.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T05:16:36.320

Modified: 2026-06-09T20:37:05.070

Link: CVE-2026-41843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T05:45:26Z

Weaknesses