PatchSiren cyber security CVE debrief
CVE-2026-41841 Spring CVE debrief
A medium-severity vulnerability, CVE-2026-41841, was found in Spring MVC and WebFlux applications. This issue allows for Information Disclosure attacks when resolving static resources. The vulnerability affects multiple versions of the Spring Framework, including 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of affected Spring Framework versions should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 5.9 and is classified as CWE-524. It can be exploited through a network attack (AV:N) with high complexity (AC:H) and no privileges required (PR:N). The attack can lead to high confidentiality impact (C:H) with no integrity (I:N) or availability (A:N) impact.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a non-vulnerable version of the Spring Framework.
- Refer to the vendor advisory for more information and mitigation steps: [ref-4]
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide additional information about the vulnerability.
Official resources
-
CVE-2026-41841 CVE record
CVE.org
-
CVE-2026-41841 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41841 was published on 2026-06-09T05:16:36.087Z and modified on 2026-06-09T20:38:00.927Z.