MEDIUM 5.9

CVE-2026-41841: Spring Framework Static Resource Information Disclosure

Spring MVC and WebFlux applications contain a vulnerability that can leak sensitive information through improper handling of static resource requests. An attacker can craft requests to bypass normal access controls and read files that should be protected, though successful exploitation requires specific conditions. The vulnerability affects multiple Spring Framework versions across several release lines.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-524
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from inadequate validation when Spring MVC and WebFlux resolve static resources. The flaw allows information disclosure through CWE-524 (Exposure of Sensitive Information Through Cached Data or Logs). An attacker without authentication can potentially access restricted files by manipulating resource resolution logic. The CVSS 3.1 score of 5.9 reflects high confidentiality impact but limited attack surface—exploitation requires relatively specific conditions (AC:H) and cannot be executed remotely without user interaction boundaries, though no user interaction is strictly required.

Business impact

Confidentiality breaches could expose application secrets, configuration data, or customer information embedded in or accessible through static resources. For organizations running Spring-based applications, the risk depends on what sensitive data might be accessible through resource endpoints. This is particularly concerning for multi-tenant or compliance-heavy environments where unauthorized information access triggers breach notification obligations and regulatory scrutiny.

Affected systems

Spring Framework versions 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48 are vulnerable. Any application using Spring MVC or Spring WebFlux for static resource serving is in scope. Organizations should audit their Spring versions immediately, as both current (7.x, 6.2.x) and legacy (6.1.x, 5.3.x) lines are affected.

Exploitability

This is not a publicly known exploit (KEV status: not added). Exploitation requires network access and specific knowledge of the target application's resource structure, reflected in the AC:H (Attack Complexity: High) rating. While no authentication is needed, the attacker must understand how the application resolves and caches resources to successfully bypass controls. This limits exploitation to targeted attacks rather than opportunistic scanning.

Remediation

Upgrade Spring Framework to patched versions: verify against the vendor advisory for exact patch version numbers across all four affected release lines. Organizations unable to patch immediately should restrict access to static resource endpoints via WAF rules or reverse proxy configurations, and audit logs for suspicious resource access patterns.

Patch guidance

Contact VMware or consult the official Spring Framework security advisory for specific patched versions corresponding to each release line (5.3.x, 6.1.x, 6.2.x, 7.0.x). Apply patches in a staged manner, testing thoroughly in non-production environments first given the breadth of affected versions. Prioritize applications exposing sensitive static resources or serving multi-tenant workloads.

Detection guidance

Monitor application logs and WAF logs for anomalous requests to static resource endpoints, particularly those containing path traversal sequences or encoded characters that might indicate resource path manipulation. Look for successful responses returning unexpected file types or sizes. Network-level detection should flag requests to static endpoints from IPs not in expected client ranges if your environment permits such segmentation.

Why prioritize this

Although rated MEDIUM severity and not yet weaponized, this vulnerability affects four major Spring Framework version lines and impacts a core feature (static resource resolution). Organizations running Spring applications should treat this with high priority for inventory and patching given the widespread deployment of Spring MVC/WebFlux, the simplicity of the attack vector, and the potential for high-value data exposure in production environments.

Risk score, explained

CVSS 5.9 (MEDIUM) reflects high confidentiality impact (C:H) but limited exploitability: attack complexity is high (AC:H), no user interaction is required, and attack is network-based. The score appropriately captures that while the vulnerability is serious, real-world exploitation demands reconnaissance and specific conditions rather than blind exploitation. Context—your application's sensitivity and exposure—should inform internal risk prioritization above the base CVSS.

Frequently asked questions

Do we need to upgrade every Spring Framework version line affected?

Yes. All four release lines (7.0, 6.2, 6.1, and 5.3) contain the flaw. However, prioritize upgrading the lines you actively run in production. If you maintain legacy 5.3.x instances, treat them equivalent in risk to modern versions for this particular flaw.

What if we don't expose static resources publicly?

If your Spring application does not serve static content via MVC/WebFlux (for example, you use a separate web server for static assets), your exposure is reduced but not eliminated if any static resource handling is enabled. Audit your Spring configuration to confirm static resource serving is truly disabled.

Will a WAF rule fully protect us until we patch?

A WAF can mitigate by blocking suspicious resource requests, but it is not a substitute for patching. Properly scoped WAF rules can reduce attack surface while you stage patch deployment, but they add operational complexity and cannot guarantee complete protection against all variants.

Is this vulnerability actively exploited in the wild?

No—the vulnerability is not on CISA's KEV list and has not been added to public exploit databases as of the publication date. However, the relatively straightforward nature of the attack means active exploitation could emerge once broader awareness spreads.

This analysis is based on published CVE data and vendor advisories current as of the modification date (2026-06-27). Patch version numbers and specific remediation steps should be verified against the official VMware Spring Framework security advisory before deployment. This assessment does not constitute professional security advice; engage your security team and vendor support for environment-specific risk evaluation and patch planning. No exploit code or weaponization details are provided herein. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).