Description
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Spring Framework allows an attacker to craft a multipart HTTP request that can be interpreted incorrectly by the server, leading to request smuggling. Based on the description, it is inferred that such misinterpretation could expose the application to unintended request handling or execution errors.

Affected Systems

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are affected. The flaw is present in both Spring MVC and WebFlux modules.

Risk and Exploitability

With a CVSS score of 5.3 the vulnerability is classified as medium. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over the network, requiring an attacker to send a crafted multipart request; no specific access control prerequisites are required, making the risk moderate in publicly exposed environments.

Generated by OpenCVE AI on June 9, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a version newer than 5.3.48, 6.1.27, 6.2.18 or 7.0.7 to incorporate the fix.
  • If upgrading immediately is not possible, harden multipart parsing by rejecting requests with malformed or mismatched boundary delimiters and enforcing strict Content-Type validation.
  • Monitor application logs and network traffic for anomalous multipart request patterns that may indicate smuggling attempts.

Generated by OpenCVE AI on June 9, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41853 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Spring Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:23:36.844Z

Reserved: 2026-04-22T06:22:08.200Z

Link: CVE-2026-41853

cve-icon Vulnrichment

Updated: 2026-06-09T13:22:20.747Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:37.523

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T06:15:06Z

Weaknesses