CVE-2026-41843

Vulnerability

Spring MVC and Spring WebFlux applications are vulnerable to path traversal when resolving static resources if they serve static resources from the file system and have configured versioned resources support. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by sending malicious requests that can resolve files outside the configured static resource locations. This requires the attacker to know or guess the metadata information of targeted resources [1].

Impact

Successful exploitation of this path traversal vulnerability allows an attacker to access files outside the intended directories. The specific impact on confidentiality, integrity, and availability depends on the accessed files and the application's configuration, but it could lead to unauthorized information disclosure or manipulation [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49. No further mitigation steps are necessary [1].