MEDIUM 4.8

CVE-2026-41847: Spring WebFlux Kotlin Router DSL Security Bypass (CVSS 4.8)

Spring WebFlux applications using Kotlin Router DSL are vulnerable to a security bypass that could allow an attacker to circumvent intended access controls. The issue affects Spring Framework versions 5.3.0 through 5.3.48 and requires specific configuration conditions to exploit, making it a moderate-severity concern for teams running these versions in production.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-284
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability is rooted in improper access control enforcement (CWE-284) within Spring WebFlux's Kotlin Router DSL implementation. When applications define routes using this DSL, certain security checks may be bypassed under specific conditions, potentially allowing unauthorized access to protected resources. The attack vector is network-based with high complexity, meaning an attacker must craft conditions carefully to trigger the bypass, but no authentication is required and no user interaction is necessary.

Business impact

Organizations running Spring WebFlux with Kotlin Router DSL could face unauthorized data disclosure or modification of application state, depending on what resources are exposed by the affected routes. The impact is limited to confidentiality and integrity; availability is not compromised. Teams operating microservices or reactive APIs built on vulnerable Spring Framework versions should evaluate whether this configuration is in use and whether exposed endpoints handle sensitive data or operations.

Affected systems

VMware Spring Framework versions 5.3.0 through 5.3.48 are affected when used with the Kotlin Router DSL feature in Spring WebFlux. This primarily impacts Java applications that have explicitly adopted the Kotlin-based routing API for reactive request handling. Applications using traditional Spring MVC or Java-based Router DSL are not affected by this specific issue.

Exploitability

While the CVSS vector indicates high attack complexity (AC:H), suggesting exploitation requires specific preconditions, this vulnerability does not appear on the KEV catalog as of now, indicating either limited in-the-wild exploitation or insufficient public proof-of-concept details. Attackers would need detailed knowledge of the target application's Kotlin Router DSL configuration to reliably exploit the bypass, but the network-accessible nature and lack of authentication requirement mean opportunistic scanning could identify vulnerable endpoints.

Remediation

Upgrade Spring Framework to a version beyond 5.3.48. Verify the exact patched version against VMware's official security advisory before deployment. In the interim, review your Kotlin Router DSL route definitions for sensitive endpoints and consider applying additional security layers such as API gateway authentication, request filtering, or role-based access control middleware independent of the router configuration.

Patch guidance

Consult VMware's official Spring Framework security advisory for the specific patched version number and availability timeline. Test the upgrade in a staging environment thoroughly, as Spring Framework updates may introduce compatibility changes. If you maintain a custom fork or extension of Spring, ensure any overrides to the Kotlin Router DSL are also reviewed for similar access control issues.

Detection guidance

Monitor application logs for unexpected access patterns to endpoints defined via Kotlin Router DSL, particularly unusual request paths or parameter combinations that might indicate bypass attempts. Review your Spring Framework version in runtime and build artifacts using dependency scanning tools. If you have detailed request logs, look for patterns where authentication or authorization headers are missing or malformed yet requests still succeed, which may indicate the bypass is being triggered.

Why prioritize this

Although rated MEDIUM severity, this vulnerability should be prioritized based on your application's reliance on Kotlin Router DSL for security-sensitive endpoints. If you do not use this specific DSL feature, the risk is effectively zero. For those who do, the ability to bypass access controls—even with high exploitation complexity—warrants prompt patching, especially if the affected routes expose user data, modify system state, or integrate with sensitive business logic.

Risk score, explained

The CVSS 3.1 score of 4.8 reflects a network-accessible bypass (AV:N) with high attack complexity (AC:H), limited impact on confidentiality and integrity (C:L, I:L), and no availability impact (A:N). The high complexity factor acknowledges that successful exploitation requires specific preconditions, likely related to how routes are configured or which request patterns are sent. The network vector and lack of authentication requirement prevent a lower score despite the complexity barrier.

Frequently asked questions

Do I need to patch if I'm using Spring WebFlux but not the Kotlin Router DSL?

No. This vulnerability is specific to the Kotlin Router DSL implementation. If your application uses Java-based Router DSL or traditional Spring MVC with WebFlux, you are not affected by CVE-2026-41847. Review your codebase to confirm which routing approach you've adopted.

What is the difference between Spring Framework and Spring Boot in terms of this vulnerability?

Spring Framework is the underlying library; Spring Boot is a framework that simplifies Spring configuration. If your Spring Boot application depends on a vulnerable Spring Framework 5.3.x version, you inherit the risk. Check your pom.xml or build.gradle for the explicit Spring Framework version and update both Spring Framework and any dependent Spring Boot version as needed.

Can I work around this vulnerability without upgrading?

A complete workaround is not practical without code changes. However, you may reduce risk by adding security filters or API gateway controls upstream of your application, ensuring all requests undergo additional authentication and authorization checks independent of the router. This is not a substitute for patching but may buy time during planning.

Why isn't this vulnerability on the CISA KEV catalog?

The KEV catalog tracks vulnerabilities with evidence of active exploitation in the wild. This vulnerability may not yet have public exploits, or exploitation may be limited to specific configurations. Its absence from KEV does not mean it is less serious—patch based on your specific use of Kotlin Router DSL, not on KEV status alone.

This analysis is provided for informational purposes to help security teams contextualize CVE-2026-41847. Patch version numbers and release timelines must be verified against VMware's official Spring Framework security advisory. Organizations should conduct their own risk assessment based on their specific use of Kotlin Router DSL and the sensitivity of exposed endpoints. No exploit code or weaponized proof-of-concept is provided or recommended. Always test patches in a staging environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).