CVE-2026-41853

Vulnerability

Spring MVC and Spring WebFlux applications are vulnerable to multipart request smuggling attacks. This vulnerability affects applications that accept multipart requests and are protected by a Web Application Firewall (WAF) or proxy that parses multipart requests and performs content-based checks. The affected versions of Spring Framework are 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by sending malicious multipart requests that are designed to bypass the checks performed by a WAF or proxy. The attacker needs network access to the application and does not require any authentication or user interaction. The WAF or proxy's multipart request parsing is a prerequisite for exploitation [1].

Impact

Successful exploitation of this vulnerability allows an attacker to bypass WAF or proxy checks. The specific impact beyond bypassing security controls is not detailed in the available references, but bypassing security measures can lead to further attacks or unauthorized access [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, and 5.3.49. No further mitigation steps are necessary beyond upgrading [1].