cvelistv5 - cve-2026-22741

CVE-2026-22741 (GCVE-0-2026-22741)

Vulnerability from cvelistv5

Published

2026-04-29 11:32

Modified

2026-04-29 14:01

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-524 - Information Exposure Through Caching

Summary

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

References

URL

Tags

	https://spring.io/security/cve-2026-22741
	https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L&version=3.1

Impacted products

	Vendor	Product	Version
	VMware	Spring Framework	Version: 7.0.0 Version: 6.2.0 Version: 6.1.0 Version: 5.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22741",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-29T13:19:19.166572Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T13:19:38.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Spring Framework",
          "vendor": "VMware",
          "versions": [
            {
              "lessThan": "7.0.7",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "oss"
            },
            {
              "lessThan": "6.2.18",
              "status": "affected",
              "version": "6.2.0",
              "versionType": "oss"
            },
            {
              "lessThan": "6.1.27",
              "status": "affected",
              "version": "6.1.0",
              "versionType": "commercial"
            },
            {
              "lessThan": "5.3.48",
              "status": "affected",
              "version": "5.3.0",
              "versionType": "commercial"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Yuki Matsuhashi ."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSpring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eMore precisely, an application can be vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe application is using Spring MVC or Spring WebFlux\u003c/li\u003e\u003cli\u003ethe application is configuring the\u0026nbsp;\u003ca href=\"https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title\"\u003eresource chain support\u003c/a\u003e\u0026nbsp;with caching enabled\u003c/li\u003e\u003cli\u003ethe application adds support for encoded resources resolution\u003c/li\u003e\u003cli\u003ethe resource cache must be empty when the attacker has access to the application\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.\u003c/p\u003e"
            }
          ],
          "value": "Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.\n\n\nMore precisely, an application can be vulnerable when all the following are true:\n\n  *  the application is using Spring MVC or Spring WebFlux\n  *  the application is configuring the\u00a0 resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title \u00a0with caching enabled\n  *  the application adds support for encoded resources resolution\n  *  the resource cache must be empty when the attacker has access to the application\n\n\nWhen all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-524",
              "description": "CWE-524 Information Exposure Through Caching",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-29T14:01:42.273Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://spring.io/security/cve-2026-22741"
        },
        {
          "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L\u0026version=3.1"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Static resource cache poisoning in Spring MVC and WebFlux",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2026-22741",
    "datePublished": "2026-04-29T11:32:12.548Z",
    "dateReserved": "2026-01-09T06:54:49.675Z",
    "dateUpdated": "2026-04-29T14:01:42.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22741\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-29T13:19:19.166572Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-29T13:19:34.363Z\"}}], \"cna\": {\"title\": \"Static resource cache poisoning in Spring MVC and WebFlux\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yuki Matsuhashi .\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"VMware\", \"product\": \"Spring Framework\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.7\", \"versionType\": \"oss\"}, {\"status\": \"affected\", \"version\": \"6.2.0\", \"lessThan\": \"6.2.18\", \"versionType\": \"oss\"}, {\"status\": \"affected\", \"version\": \"6.1.0\", \"lessThan\": \"6.1.27\", \"versionType\": \"commercial\"}, {\"status\": \"affected\", \"version\": \"5.3.0\", \"lessThan\": \"5.3.48\", \"versionType\": \"commercial\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://spring.io/security/cve-2026-22741\"}, {\"url\": \"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L\u0026version=3.1\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.\\n\\n\\nMore precisely, an application can be vulnerable when all the following are true:\\n\\n  *  the application is using Spring MVC or Spring WebFlux\\n  *  the application is configuring the\\u00a0 resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title \\u00a0with caching enabled\\n  *  the application adds support for encoded resources resolution\\n  *  the resource cache must be empty when the attacker has access to the application\\n\\n\\nWhen all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSpring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eMore precisely, an application can be vulnerable when all the following are true:\u003c/p\u003e\u003cul\u003e\u003cli\u003ethe application is using Spring MVC or Spring WebFlux\u003c/li\u003e\u003cli\u003ethe application is configuring the\u0026nbsp;\u003ca href=\\\"https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title\\\"\u003eresource chain support\u003c/a\u003e\u0026nbsp;with caching enabled\u003c/li\u003e\u003cli\u003ethe application adds support for encoded resources resolution\u003c/li\u003e\u003cli\u003ethe resource cache must be empty when the attacker has access to the application\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-524\", \"description\": \"CWE-524 Information Exposure Through Caching\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2026-04-29T14:01:42.273Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22741\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-29T14:01:42.273Z\", \"dateReserved\": \"2026-01-09T06:54:49.675Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2026-04-29T11:32:12.548Z\", \"assignerShortName\": \"vmware\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2026-AVI-0457

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans Spring Framework. Elles permettent à un attaquant de provoquer un déni de service à distance et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Spring	Spring Framework	Framework versions 6.1.x antérieures à 6.1.27
Spring	Spring Framework	Framework versions 7.0.x antérieures à 7.0.7
Spring	Spring Framework	Framework versions 5.3.x antérieures à 5.3.48
Spring	Spring Framework	Framework versions 6.2.x antérieures à 6.2.18

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted