MEDIUM 4.2

CVE-2026-41854: Spring Framework UriComponentsBuilder SSRF Vulnerability

CVE-2026-41854 is a server-side request forgery (SSRF) vulnerability in Spring Framework caused by incorrect parsing of host names in URLs. When an application uses Spring's UriComponentsBuilder to process a URL provided by an external user, an attacker could craft a malicious URL that causes the application to make unintended requests to internal systems or services. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18. Exploitation requires user interaction and presents moderate risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.2 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-27

NVD description (verbatim)

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from a flaw in UriComponentsBuilder's host parsing logic. This component is commonly used to construct and validate URIs from untrusted input. An attacker can exploit the parsing weakness by submitting a specially crafted URL that bypasses host validation checks, allowing the application to interpret the URL in an unintended way. The resulting SSRF condition enables the attacker to direct the application to make HTTP requests to arbitrary destinations—including internal IP addresses, private APIs, or cloud metadata endpoints—that would normally be restricted from external access. The CVSS 3.1 score of 4.2 (MEDIUM) reflects the requirement for user interaction and the limited impact scope (information disclosure and minor integrity risk).

Business impact

An SSRF vulnerability in URL parsing libraries can have significant operational consequences depending on deployment context. Applications that validate or proxy URLs based on user input are at risk; compromised systems could leak sensitive internal information, access private APIs, or trigger unintended state changes in backend services. For organizations relying on Spring Framework for API gateways, webhook processors, or URL validators, this presents a lateral movement risk. The need for user interaction (clicking a link or submitting a form) somewhat limits the attack surface, but in multi-tenant or high-volume scenarios, the likelihood of exploitation increases. Timely patching is important to reduce exposure, particularly for services handling untrusted URLs.

Affected systems

Spring Framework 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18 are affected. Any Java application using these versions and calling UriComponentsBuilder to parse externally provided URLs is potentially vulnerable. This includes Spring Boot applications, Spring Cloud services, and custom applications that directly depend on Spring Framework. Organizations should inventory applications using affected versions and audit code paths where UriComponentsBuilder processes user-supplied URL strings.

Exploitability

Exploitability is limited by the requirement for user interaction. An attacker cannot trigger exploitation passively; instead, they must convince a user to click a malicious link or submit a crafted URL through a form. However, the attack surface widens in scenarios involving automated URL processing, webhook integrations, or open redirectors. The attack complexity is high, meaning the attacker must navigate specific conditions or craft payloads carefully. Overall, this is not a trivial remote code execution vector, but it remains a practical concern for SSRF-prone architectures.

Remediation

VMware has released patched versions of Spring Framework that correct the host parsing logic in UriComponentsBuilder. Organizations should upgrade to Spring Framework 7.0.8 or later (for the 7.0.x line) and 6.2.19 or later (for the 6.2.x line). Verification against the official VMware Spring Framework security advisory is essential to confirm exact patch versions and any compatibility notes. For organizations unable to patch immediately, implement defensive measures: validate and sanitize URL inputs independently of UriComponentsBuilder, restrict the destinations to which the application can connect (allowlist approach), and run applications with minimal network permissions.

Patch guidance

Update Spring Framework to version 7.0.8 or later if currently on 7.0.x, or to 6.2.19 or later if on 6.2.x. Consult the VMware Spring Framework security advisory for precise version numbers, release dates, and any migration guidance. Test patched versions thoroughly in a staging environment, particularly for applications that construct or validate URIs. If immediate patching is not feasible, prioritize applications that process user-submitted URLs or integrate with external services. Review dependency management configurations to ensure upgrades do not introduce breaking changes or transitive dependency conflicts.

Detection guidance

Monitor application logs for unusual URI construction patterns or unexpected HTTP requests to internal IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints (e.g., 169.254.169.254). Implement network segmentation to restrict outbound connections from application servers to necessary destinations only. Review source code repositories for calls to UriComponentsBuilder with user-controlled input and assess whether the parsed URIs are then used in HTTP requests. Web application firewalls and proxy-based controls can help detect and block SSRF payloads, though Spring-level patching remains the definitive solution.

Why prioritize this

Although the CVSS score is moderate (4.2), prioritization should account for deployment context. Any application that parses user-supplied URLs—especially those exposed to the internet—should be patched with urgency. The vulnerability aligns with CWE-918 (SSRF), a class of attack that has driven real-world incidents affecting cloud services and internal APIs. The requirement for user interaction is a mitigating factor, but the relative ease of crafting a malicious URL and the potential to reach internal systems justify swift remediation. Organizations should treat this as medium-to-high priority within their patching cadence.

Risk score, explained

The CVSS 3.1 score of 4.2 reflects a network-accessible vulnerability (AV:N) with high attack complexity (AC:H), no privilege escalation (PR:N), and a requirement for user interaction (UI:R). The impact is limited to low-level confidentiality and integrity loss with no availability impact (C:L/I:L/A:N). The scope is unchanged (S:U). This rating appropriately captures the practical constraints: while the vulnerability is exploitable in theory, real-world attacks require user action and careful payload construction. Context-specific risk may be higher if the affected application handles sensitive data or exposes privileged internal endpoints.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2026-41854 is an SSRF vulnerability, not a code execution flaw. An attacker can direct the application to make unintended HTTP requests to internal systems, potentially disclosing information or triggering state changes, but cannot execute arbitrary code on the server.

Do we need to patch immediately if we don't use UriComponentsBuilder directly?

If your application uses Spring Framework but does not explicitly call UriComponentsBuilder for URL parsing, your direct risk is lower. However, other Spring components or third-party libraries may use UriComponentsBuilder internally. Review your dependency tree and consult your security team or VMware documentation to confirm exposure.

What is the difference between the 7.0.x and 6.2.x patches?

Both version lines are affected and both have patches available. Use the 7.0.x patch if you're running Spring Framework 7.0.x; use the 6.2.x patch if on 6.2.x. Consult the VMware advisory for exact version numbers and any differences in remediation approach between the two lines.

Can we mitigate this without patching?

Temporary mitigations include validating and filtering user-supplied URLs using independent logic before passing them to UriComponentsBuilder, restricting outbound network access from the application to an allowlist of safe destinations, and applying web application firewall rules to block SSRF payloads. However, these are not substitutes for patching and should be used only as interim measures.

This analysis is provided for informational purposes to support security decision-making. It is based on publicly disclosed information and the vendor advisory as of the publication date. Patch version numbers, timelines, and technical details may change; organizations must verify information against official VMware Spring Framework security advisories before implementing remediation. This page does not constitute legal or compliance advice. No liability is assumed for inaccuracies, delays, or consequences of any actions taken based on this intelligence. Always conduct independent testing and validation in your environment before deploying patches or mitigations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).