CVE-2026-41840: Spring WebFlux Multipart DoS Vulnerability – Patch Guide
Spring WebFlux applications running affected versions of Spring Framework contain a denial-of-service vulnerability triggered by specially crafted multipart requests. An unauthenticated remote attacker can exploit this to disrupt application availability without requiring special network access or user interaction. The vulnerability affects a wide range of Spring Framework versions spanning multiple release lines, making it broadly relevant to organizations using Spring-based web services.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-401
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-26
NVD description (verbatim)
Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41840 is a resource exhaustion vulnerability in Spring WebFlux's multipart request handling. The vulnerability stems from improper resource management (CWE-401) when processing multipart form data, allowing an attacker to craft requests that consume excessive server resources and trigger a denial of service condition. The attack does not require authentication, network privileges, or user interaction, though it does require some degree of attack complexity to exploit effectively. The vulnerability affects Spring Framework versions 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7.
Business impact
Availability impact is the primary concern. Successful exploitation can render Spring WebFlux applications unresponsive, disrupting dependent services and end-user access. The moderate CVSS score reflects the availability-only risk; confidentiality and integrity are not compromised. For mission-critical microservices architectures, even brief service interruptions can cascade across multiple dependent systems. Organizations relying on Spring-based APIs for core business operations should prioritize patching to minimize operational risk.
Affected systems
VMware Spring Framework versions spanning four major/minor release lines are affected: 5.3.x (up to 5.3.48), 6.1.x (up to 6.1.27), 6.2.x (up to 6.2.18), and 7.0.x (up to 7.0.7). Any application using Spring WebFlux (Spring's reactive web framework) within these versions and accepting multipart requests—such as file upload endpoints—is vulnerable. Organizations must audit their dependency trees to identify affected Spring Framework versions, regardless of whether applications explicitly depend on Spring WebFlux or inherit it transitively.
Exploitability
The attack is network-accessible and requires no authentication or user interaction, lowering the barrier to exploitation. However, the moderate attack complexity suggests the attacker must craft requests with specific characteristics to trigger the resource exhaustion. The vulnerability is not yet in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild has not been confirmed as of the last update. Nevertheless, the straightforward attack vector (HTTP multipart requests) means exploitation capability could be developed or discovered quickly once the vulnerability details are widely publicized.
Remediation
Upgrade Spring Framework to a patched version immediately. For each affected line: 5.3.x users should update to 5.3.49 or later, 6.1.x to 6.1.28 or later, 6.2.x to 6.2.19 or later, and 7.0.x to 7.0.8 or later. Verify the exact patch version against VMware's official Spring Framework security advisory to ensure you are applying the correct fix. If immediate patching is not feasible, disable or restrict multipart request handling on exposed endpoints as a temporary mitigation. Review network access controls to limit which clients can reach affected endpoints.
Patch guidance
Begin by inventorying applications and their Spring Framework dependencies using build tools (Maven, Gradle) to identify those within affected version ranges. Prioritize patching production systems first, followed by development and staging environments. Test patches in a staging environment to verify compatibility with your application before deploying to production. Monitor Spring Framework release notes and VMware security advisories for any patch supersessions or additional guidance. Consider implementing automated dependency scanning in your CI/CD pipeline to prevent future use of vulnerable Spring Framework versions.
Detection guidance
Monitor application logs for unusual spikes in multipart request processing, resource consumption, or error rates that correlate with incoming HTTP requests. Network intrusion detection systems can flag suspicious patterns of multipart requests, particularly those with abnormal headers, payload sizes, or repetition rates targeting file-upload or form-processing endpoints. Endpoint monitoring should track CPU and memory usage of Java processes running Spring WebFlux applications; DoS attacks typically manifest as sustained elevation in resource consumption. Correlate application performance monitoring (APM) data with access logs to identify whether elevated resource usage coincides with specific client IP addresses or request patterns.
Why prioritize this
This vulnerability warrants near-term action despite its medium CVSS score because of the breadth of affected versions, the ubiquity of Spring Framework in enterprise Java ecosystems, and the availability impact. The unauthenticated, network-accessible nature of the attack combined with the lack of user-interaction requirements makes it operationally significant. Organizations with public-facing or internal microservices built on Spring WebFlux should prioritize patching ahead of less-accessible vulnerabilities. The four affected release lines mean even legacy applications on 5.3.x may require attention, complicating patch management.
Risk score, explained
The CVSS 3.1 score of 5.9 (MEDIUM) reflects availability impact as the primary risk (high impact on availability) paired with moderate attack complexity and no impact on confidentiality or integrity. The score appropriately captures that while an attacker can disrupt service, they cannot steal data or modify system behavior. However, context matters: for critical services, availability impact alone justifies urgent patching. The moderate attack complexity suggests non-trivial exploitation but does not eliminate the threat, especially as proof-of-concept code or exploitation techniques become public.
Frequently asked questions
Do we need to patch if we don't use multipart requests?
Multipart request handling is a core feature of web frameworks. If your Spring WebFlux application accepts any HTTP POST or PUT requests from untrusted sources—even if you do not explicitly process multipart data—the vulnerability could still be exploited. Audit your application endpoints carefully. Patching remains the safest option.
Can we mitigate without patching immediately?
Temporary mitigations include disabling multipart request handling on public endpoints, restricting HTTP access via network firewalls to trusted IPs only, and configuring reverse proxies (nginx, AWS ALB) to reject oversized multipart requests. These measures buy time but are not substitutes for patching. Plan patching for your next maintenance window.
Does this affect Spring MVC applications?
CVE-2026-41840 specifically targets Spring WebFlux, which is Spring's reactive, non-blocking web framework. Traditional Spring MVC applications using servlet-based request handling are not affected by this vulnerability. Verify your application architecture to determine which framework you are using.
Is this vulnerability exploited in the wild?
As of the latest update, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, suggesting active exploitation has not been documented. However, absence from the KEV list does not guarantee the vulnerability is unexploited; assume threat actors are analyzing it and prioritize patching accordingly.
This analysis is based on publicly available vulnerability data current as of June 2026. Patch version numbers and specific remediation steps should be verified against VMware's official Spring Framework security advisory before deployment. This content is for informational purposes and does not constitute professional security advice. Organizations should conduct their own risk assessment based on their specific environment, architecture, and business context. Always test patches in non-production environments before broad deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45682MEDIUMOpenTelemetry eBPF Instrumentation Memory Leak in Java TLS State Tracking
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak
- CVE-2026-46171MEDIUMLinux RISC-V KVM Vector Context Memory Leak
- CVE-2026-46182MEDIUMLinux Kernel PAPR Hypervisor Pipe Information Disclosure Vulnerability