PatchSiren cyber security CVE debrief
CVE-2026-41854 Spring CVE debrief
A medium-severity vulnerability, CVE-2026-41854, was found in Spring Framework. The issue arises from incorrect host parsing in UriComponentsBuilder, which can lead to a server-side request forgery (SSRF) attack. The affected versions are Spring Framework 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-15
Who should care
Developers and administrators using Spring Framework versions 7.0.0 through 7.0.7 and 6.2.0 through 6.2.18 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
CVE-2026-41854 is a medium-severity vulnerability with a CVSS score of 4.2. It was published on [cvePublishedAt] and modified on [cveModifiedAt]. The vulnerability is caused by incorrect host parsing in UriComponentsBuilder, which can lead to SSRF attacks.
Defensive priority
medium
Recommended defensive actions
- Update to Spring Framework version 6.2.19 or later
- Update to Spring Framework version 7.0.8 or later
- Implement additional security measures to prevent SSRF attacks
Evidence notes
The CVE record and NVD detail can be found at [resourceLinkAnnotations:cve-org] and [resourceLinkAnnotations:nvd], respectively. The vendor advisory is available at [resourceLinkAnnotations:ref-4].
Official resources
-
CVE-2026-41854 CVE record
CVE.org
-
CVE-2026-41854 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41854 was published on 2026-06-09T05:16:37.647Z and modified on 2026-06-15T19:10:25.670Z.