CVE-2026-41841

Vulnerability

Spring MVC and WebFlux applications are vulnerable to information disclosure when resolving static resources. This occurs when an application uses Spring MVC or WebFlux, has multiple resource handlers with different locations, at least one handler requires authentication, and a shared cache is configured for these handlers. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by first triggering the resolution of a publicly available resource with a specific name. If this resource is cached, and then a protected resource with the same name is resolved, the attacker can gain access to the protected resource. This attack does not require authentication or specific network positioning, but relies on the specific configuration of resource handlers and caching [1].

Impact

Successful exploitation of this vulnerability allows an attacker to disclose sensitive information by gaining unauthorized access to protected resources that should otherwise require authentication. The scope of the compromise is limited to the resources accessible through the misconfigured static resource handling [1].

Mitigation

Users of affected Spring Framework versions should upgrade to the following fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the specific branch. No further mitigation steps are necessary beyond upgrading [1].