PatchSiren cyber security CVE debrief
CVE-2026-41001 Spring CVE debrief
CVE-2026-41001 is a medium severity vulnerability in Spring Boot's ArtemisEmbeddedConfigurationFactory. A local attacker can exploit this vulnerability by pre-creating a predictable directory or placing a symlink before the application starts. The vulnerability affects Spring Boot versions 4.0.0 through 4.0.6, 3.5.0 through 3.5.14, 3.4.0 through 3.4.16, 3.3.0 through 3.3.19, and 2.7.0 through 2.7.33.
- Vendor
- Spring
- Product
- Spring Boot
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Boot versions should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The ArtemisEmbeddedConfigurationFactory in Spring Boot uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. This allows a local attacker on the same host to pre-create this predictable directory or place a symlink before the application starts.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to a non-affected version of Spring Boot.
- Configure an explicit path for the Artemis message broker's data directory.
Evidence notes
The CVE-2026-41001 record was obtained from the official CVE.org and NVD databases.
Official resources
-
CVE-2026-41001 CVE record
CVE.org
-
CVE-2026-41001 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41001 was published on 2026-06-11T07:16:28.163Z and modified on 2026-06-11T15:21:30.653Z.