Description
Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.
Published: 2026-06-09
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from faulty host parsing performed by Spring Framework’s UriComponentsBuilder. When user‑supplied URL strings are processed without adequate validation, an attacker can craft a request that causes the server to contact arbitrary internal or external resources. This can lead to disclosure of sensitive data, cross‑system lateral movement, or denial‑of‑service conditions, all falling under the CWE‑918 category of server‑side request forgery.

Affected Systems

Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18 are affected. The issue is specific to applications that incorporate UriComponentsBuilder for URL parsing and validation.

Risk and Exploitability

The CVSS score of 4.2 indicates a moderate severity, while the EPSS score is currently unavailable and the vulnerability is not listed in KEV. An attacker would need to supply a specially crafted URL that triggers UriComponentsBuilder, which are typically invoked via HTTP requests. Given that the vulnerability only manifests when applications accept untrusted URLs, the likelihood of exploitation in the absence of such functionality is relatively low, yet the potential impact warrants prompt remediation. Continuous monitoring for exploitation attempts is advised until a patch is applied.

Generated by OpenCVE AI on June 9, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Spring Framework release (7.0.8 or newer, or 6.2.19 or newer).
  • Validate any externally supplied URLs against a strict whitelist, rejecting disallowed schemes and hostnames before they are passed to UriComponentsBuilder.
  • If URL parsing is unavoidable, consider replacing UriComponentsBuilder with a custom implementation that enforces strict host validation or disabling the feature altogether.

Generated by OpenCVE AI on June 9, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41854 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.
Title Spring Framework Server-Side Request Forgery via UriComponentsBuilder
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Spring Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:25:15.484Z

Reserved: 2026-04-22T06:22:10.081Z

Link: CVE-2026-41854

cve-icon Vulnrichment

Updated: 2026-06-09T13:25:12.010Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:37.647

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T06:15:06Z

Weaknesses