CVE-2026-41853: Spring Framework Multipart Request Smuggling Vulnerability
Spring Framework versions 5.3.0 through 7.0.7 contain a vulnerability allowing attackers to perform multipart request smuggling attacks. This vulnerability lets unauthenticated remote attackers craft malformed multipart HTTP requests that can be interpreted differently by intermediate proxies or load balancers versus the Spring application itself, potentially leading to request confusion and unauthorized actions. No user interaction is required, and the vulnerability affects both Spring MVC and WebFlux application handlers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-444
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41853 is a multipart request smuggling vulnerability (CWE-444) in Spring Framework's handling of HTTP multipart requests. The vulnerability exists in Spring MVC and WebFlux request processing pipelines across multiple version branches: 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. Attackers can exploit inconsistencies in how Spring parses multipart boundaries and request content to cause HTTP request desynchronization attacks, potentially bypassing security controls or routing requests to unintended handlers. The CVSS 3.1 score of 5.3 (MEDIUM) reflects network-accessible exploitation with low complexity and integrity impact.
Business impact
Organizations running Spring-based applications face potential integrity compromise through request smuggling attacks. An attacker could manipulate application state, submit unauthorized data, trigger unintended business logic, or bypass input validation controls. While confidentiality is not directly compromised and availability impact is minimal, the integrity risk is significant—particularly for applications handling financial transactions, authentication/authorization decisions, or sensitive state changes. The attack requires no authentication or user interaction, making it exploitable at scale if exposed to untrusted networks.
Affected systems
All Spring Framework instances in the following branches are affected: version 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. Both Spring MVC (servlet-based) and Spring WebFlux (reactive) implementations are vulnerable. Applications using earlier versions (5.2 and below) and patched versions beyond those ranges are not affected. The vulnerability applies to any deployment—on-premises, cloud, or containerized—running vulnerable Spring Framework versions.
Exploitability
This vulnerability has a low attack complexity and requires no privileges or user interaction. An attacker with network access to a Spring application can craft a specially formed multipart HTTP request to trigger the smuggling condition. No pre-authentication or social engineering is needed. However, practical exploitation depends on the application's HTTP routing configuration and whether intermediate proxies or load balancers interpret multipart boundaries differently than Spring does. The lack of KEV (Known Exploited Vulnerability) designation as of the source data date suggests active wild exploitation has not been publicly documented, but the low barrier to exploitation means defensive action should not be delayed.
Remediation
Upgrade Spring Framework to patched versions beyond the affected ranges: use 7.0.8 or later for the 7.0 branch, 6.2.19 or later for 6.2, 6.1.28 or later for 6.1, or 5.3.49 or later for 5.3. Verify the exact patch version against the official VMware Spring Framework security advisory to ensure completeness. Organizations unable to patch immediately should implement request validation to detect and reject malformed multipart payloads, and consider deploying Web Application Firewall (WAF) rules to block smuggling patterns. Network segmentation limiting untrusted access to Spring applications reduces immediate risk.
Patch guidance
Patches are available for all affected version branches. Priority your upgrades by application criticality: prioritize production systems, then non-production environments. For Spring Boot applications, update the spring-framework dependency in your build configuration (Maven pom.xml or Gradle build.gradle) and run your full test suite before deployment. Verify patch application by checking the Spring Framework version string in application logs or through dependency inspection tools. Test multipart file upload functionality specifically post-patch to confirm no regression. Rolling deployments are recommended for high-availability environments to maintain uptime during the upgrade.
Detection guidance
Monitor HTTP request logs for suspicious multipart requests with abnormal or repeated boundary markers, incomplete Content-Length headers, or boundaries appearing in unexpected positions within the request body. Network-based detection can inspect for request smuggling patterns using IDS/IPS signatures targeting multipart desynchronization techniques. Application-level monitoring should flag requests that trigger parsing errors in multipart handling. Check application server logs for 400-series errors related to multipart parsing, which may indicate attack attempts. If Web Application Firewall is deployed, enable multipart request validation rules.
Why prioritize this
Although CVSS 5.3 (MEDIUM) may seem modest, the combination of network accessibility, zero authentication requirements, and integrity-focused impact warrants prompt patching. Multipart request smuggling can be weaponized against applications that rely on request integrity for security decisions. Organizations with publicly exposed Spring endpoints should prioritize this patch in the near term. The fact that no ransomware or active wild exploitation has been documented provides a small operational window; however, exploit simplicity means that delay increases risk unnecessarily.
Risk score, explained
CVSS 3.1/5.3 reflects: Attack Vector = Network (AV:N) because the vulnerability is remotely exploitable; Attack Complexity = Low (AC:L) because no special conditions are required; Privileges Required = None (PR:N) and User Interaction = None (UI:N) because no authentication or user click-through is needed; Confidentiality = None (C:N) and Availability = None (A:N) because the attack does not leak secrets or crash services; Integrity = Low (I:L) because the attacker can influence request routing and data integrity without full control. The MEDIUM severity reflects material but not critical risk.
Frequently asked questions
Does this vulnerability require the Spring application to be publicly internet-facing?
The vulnerability is remotely exploitable over the network, so yes, it requires network-level access. However, that access does not need to be from the public internet—it applies to any untrusted network segment with connectivity to the Spring application. Internal networks where less-trusted users or systems can reach the application are also at risk.
Will our Web Application Firewall (WAF) automatically block this attack?
Not automatically, unless your WAF has multipart request smuggling rules enabled. We recommend enabling multipart validation features and custom rules that detect boundary inconsistencies or content-length mismatches. However, WAF is a defensive layer only; patching Spring Framework remains the definitive fix.
What is the difference between patched and unpatched request handling?
Patched versions correct the parsing logic to consistently and unambiguously handle multipart boundaries and content delimiters, eliminating the desynchronization window that attackers exploit. Unpatched versions process multipart requests in a way that can be reinterpreted by proxies or load balancers upstream, allowing request smuggling.
Are Spring Boot applications automatically vulnerable, or only pure Spring Framework?
Spring Boot applications that include the Spring Framework dependency (nearly all of them) are vulnerable if they run affected Spring Framework versions. Spring Boot does not add a separate layer of protection against this vulnerability—the patch must come from upgrading the underlying Spring Framework dependency.
This analysis is provided for informational purposes and is based on publicly available data as of the CVE publication and modification dates. SEC.co does not guarantee the accuracy of vendor advisory links or patch availability; readers should verify patch version numbers and download locations directly from VMware's official Spring Framework security advisories. No exploit code or weaponized proof-of-concept details are included. Organizations should conduct internal risk assessment based on their specific deployment configurations, application architecture, and network exposure before prioritizing remediation. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47676MEDIUMHono Path Encoding Vulnerability in app.mount()
- CVE-2026-6324MEDIUMlibsoup Chunked Encoding Integer Conversion Vulnerability
- CVE-2026-44546LOWDaphne HTTP Header Injection Vulnerability (4.2.2)
- CVE-2026-40989MEDIUMSpring Cloud Function Infinite Recursion OOM Vulnerability
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41838MEDIUMSpring Framework WebSocket Session ID Predictability – Spring Security Risk
- CVE-2026-41839MEDIUMSpring Framework WebFlux Session Fixation Vulnerability
- CVE-2026-41840MEDIUMSpring WebFlux Multipart DoS Vulnerability – Patch Guide