CVE-2026-41847

Vulnerability

Spring Framework applications using WebFlux and the Kotlin Router DSL are vulnerable to a security bypass if they employ a filter that modifies or replaces the ServerRequest (e.g., using ServerRequestWrapper) before passing it to the next handler function. This issue affects Spring Framework versions 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability if the affected application meets all the conditions: uses Spring WebFlux, uses the Kotlin Router DSL, and uses a filter that modifies ServerRequest. The attacker does not need specific privileges or user interaction, as the security bypass occurs when the modified ServerRequest is silently discarded by the downstream handler, which receives the original, unmodified request instead [1].

Impact

When exploited, this vulnerability causes security-related modifications applied to the ServerRequest by a filter to have no effect. The downstream handler receives the original request, effectively bypassing intended security controls. This could lead to unauthorized access or actions that the security filter was designed to prevent [1].

Mitigation

Users of affected versions should upgrade to Spring Framework version 5.3.49, which addresses this vulnerability. This fix was made available commercially on June 8, 2026. No further mitigation steps are necessary beyond upgrading [1].