CVE-2026-41001
Description
Spring Boot uses a predictable, static path for the embedded Artemis broker data directory, allowing a local attacker to pre-create or symlink the directory before the application starts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Boot uses a predictable, static path for the embedded Artemis broker data directory, allowing a local attacker to pre-create or symlink the directory before the application starts.
Vulnerability
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. All versions of Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; and 2.7.0 through 2.7.33 are affected [1].
Exploitation
An attacker must have local access to the host running the application. No authentication or special privileges are required beyond the ability to create directories or symlinks in the predictable path. The attacker pre-creates the expected directory or a symlink pointing to an attacker-controlled location before the application starts. When the application launches and the embedded Artemis broker initializes, it uses the attacker-controlled directory as its data directory [1].
Impact
Successful exploitation allows the attacker to control the location where the embedded Artemis broker stores its persistent data. This can lead to information disclosure if the attacker can read data written by the broker, or to denial of service if the attacker can disrupt the broker's data integrity or availability by manipulating the directory contents. The attacker does not gain code execution or escalate privileges beyond the application's user context [1].
Mitigation
Spring Boot released fixes in versions 4.0.7, 3.5.15, 3.4.17, 3.3.20, and 2.7.34 on 2026-06-11. Users should upgrade to these fixed versions. As a workaround, administrators can explicitly configure a non-predictable path for the Artemis data directory using the spring.artemis.embedded.data-directory property. No workaround is required once the application is patched [1].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=2.7.0,<=2.7.33 || >=3.3.0,<=3.3.19 || >=3.4.0,<=3.4.16 || >=3.5.0,<=3.5.14 || >=4.0.0,<=4.0.6
- Range: >=2.7.0 <=2.7.33 || >=3.3.0 <=3.3.19 || >=3.4.0 <=3.4.16 || >=3.5.0 <=3.5.14 || >=4.0.0 <=4.0.6
Patches
24218bd76e934Fix predictable temp directory in Artemis embedded configuration
1 file changed · +3 −4
spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jms/artemis/ArtemisEmbeddedConfigurationFactory.java+3 −4 modified@@ -16,8 +16,6 @@ package org.springframework.boot.autoconfigure.jms.artemis; -import java.io.File; - import org.apache.activemq.artemis.api.core.QueueConfiguration; import org.apache.activemq.artemis.api.core.RoutingType; import org.apache.activemq.artemis.api.core.SimpleString; @@ -31,6 +29,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.boot.system.ApplicationTemp; + /** * Configuration used to create the embedded Artemis server. * @@ -84,8 +84,7 @@ private String getDataDir() { if (this.properties.getDataDirectory() != null) { return this.properties.getDataDirectory(); } - String tempDirectory = System.getProperty("java.io.tmpdir"); - return new File(tempDirectory, "artemis-data").getAbsolutePath(); + return new ApplicationTemp().getDir("artemis-data").getAbsolutePath(); } }
6f7341c2af89Release v4.0.7
1 file changed · +1 −1
gradle.properties+1 −1 modified@@ -1,4 +1,4 @@ -version=4.0.7-SNAPSHOT +version=4.0.7 latestVersion=false spring.build-type=oss
Vulnerability mechanics
Root cause
"Use of a fixed, predictable path (`java.io.tmpdir` + `"artemis-data"`) for the embedded Artemis broker's data directory allows a local attacker to pre-create or symlink that location."
Attack vector
A local attacker with low privileges on the same host can pre-create the predictable directory `/tmp/artemis-data` (or place a symlink at that location) before the Spring Boot application starts. When the application launches and initializes the embedded Artemis broker, it will use the attacker-controlled directory for its data store. This allows the attacker to influence or observe the broker's data, leading to limited confidentiality, integrity, and availability impacts (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). No authentication or network access is required beyond local shell access.
Affected code
The vulnerability is in `ArtemisEmbeddedConfigurationFactory.java` in the `getDataDir()` method. When no explicit `dataDirectory` is configured via `this.properties.getDataDirectory()`, the original code constructs the path using `System.getProperty("java.io.tmpdir")` concatenated with the hardcoded string `"artemis-data"` [patch_id=5565346]. This produces a predictable path such as `/tmp/artemis-data`.
What the fix does
The patch replaces the hardcoded `new File(tempDirectory, "artemis-data")` construction with `new ApplicationTemp().getDir("artemis-data")` [patch_id=5565346]. `ApplicationTemp` is a Spring Boot utility that generates a secure, unpredictable temporary directory path, typically under the user's application-specific temp space. This prevents a local attacker from predicting or pre-creating the path before the application starts. The fix also removes the now-unnecessary `import java.io.File` and adds the `import org.springframework.boot.system.ApplicationTemp`.
Preconditions
- authAttacker must have local shell access to the same host running the Spring Boot application
- configThe application must use Spring Boot's embedded Artemis configuration without explicitly setting a data directory
- inputThe attacker must pre-create the predictable path before the application starts
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.