PatchSiren cyber security CVE debrief
CVE-2026-41847 Spring CVE debrief
A security bypass vulnerability exists in Spring WebFlux applications when using the Kotlin Router DSL. The vulnerability affects Spring Framework versions 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Framework versions 5.3.0 through 5.3.48 who utilize Spring WebFlux applications with the Kotlin Router DSL.
Technical summary
The vulnerability allows for a security bypass, with a CVSS score of 4.8 and a severity rating of MEDIUM. The Common Vulnerability Scoring System (CVSS) vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Spring Framework version 5.3.49 or later.
- Refer to the vendor advisory for more information: [ref-4](https://spring.io/security/cve-2026-41847)
Evidence notes
The CVE record and details can be found at: [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-41847) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-41847).
Official resources
-
CVE-2026-41847 CVE record
CVE.org
-
CVE-2026-41847 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41847 was published on 2026-06-09T05:16:36.817Z and modified on 2026-06-11T16:08:39.660Z.