CVE-2026-41854

Vulnerability

Applications using Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18 are vulnerable to server-side request forgery (SSRF) due to an incorrect host parsing mechanism within UriComponentsBuilder when processing externally provided URL strings [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL string that, when parsed by UriComponentsBuilder, tricks the application into making unintended requests to internal or external resources. This typically requires the attacker to provide a specially malformed URL to an application feature that utilizes this component for URL processing, potentially involving user interaction [1].

Impact

Successful exploitation of this vulnerability allows an attacker to induce the server to make requests on their behalf, leading to server-side request forgery (SSRF). This can result in the disclosure of sensitive information or the manipulation of internal resources, depending on the application's configuration and network access [1].

Mitigation

Users of affected versions should upgrade to Spring Framework 7.0.8 or 6.2.19. Fixed versions are available as of June 8, 2026. No further mitigation steps are necessary beyond upgrading [1].