VMware Spring Framework

VMware Advisor Input Injection Alters Model Behavior
CVE-2026-41713 8.2 - High - May 12, 2026

A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.

1336

Spring AI ChatMemory default leak enabling cross-user data exposure
CVE-2026-41712 7.5 - High - May 12, 2026

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

Filter-Expression Injection in Spring AI MilvusVectorStore#doDelete v1.01.1
CVE-2026-41705 8.6 - High - May 09, 2026

Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.

EL Injection

Spring Cloud Config Secrets Manager Bypass - Exposes GCP Secrets (v3.1-5.0)
CVE-2026-40981 7.5 - High - May 07, 2026

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Insecure Direct Object Reference / IDOR

Spring Cloud Config Server TOCTOU via base directory 3.1.x-5.0.3
CVE-2026-41002 7.4 - High - May 07, 2026

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

TOCTTOU

Spring Cloud Config Trace Log Info Exposure CVE-2026-41004
CVE-2026-41004 4.4 - Medium - May 07, 2026

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Insertion of Sensitive Information into Log File

Spring Cloud Config DT via Config Server CVE-2026-40982 (5.0.0-5.0.2)
CVE-2026-40982 9.1 - Critical - May 07, 2026

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Directory traversal

DoS via Slow Static Resource Resolve in Spring MVC/WebFlux on Windows
CVE-2026-22745 5.3 - Medium - April 29, 2026

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Resource Exhaustion

Spring MVC static resource cache poisoning via encoded resource resolution
CVE-2026-22741 3.1 - Low - April 29, 2026

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Use of Cache Containing Sensitive Information

Spring WebFlux multipart temp file retention (disk space depletion)
CVE-2026-22740 6.5 - Medium - April 29, 2026

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.

Resource Exhaustion

Spring gRPC 1.0.0-1.0.2 AuthEx Leakage via gRPC Status
CVE-2026-40969 3.7 - Low - April 28, 2026

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Generation of Error Message Containing Sensitive Information

Spring gRPC auth ID retained on thread, pre-1.0.3
CVE-2026-40968 4.3 - Medium - April 28, 2026

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Separation of Privilege

Spring AI ForkPDFLayoutTextStripper DoS via crafted PDF (1.0.0-1.1.4)
CVE-2026-40980 6.5 - Medium - April 28, 2026

In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Resource Exhaustion

Spring AI 1.0.0-1.0.5 / 1.1.0-1.1.4 Shared Env Exposes ONNX (fixed 1.0.6/1.1.5)
CVE-2026-40979 6.1 - Medium - April 28, 2026

In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Insecure Temporary File

Spring AI 1.0.0-1.0.5 / 1.1.0-1.1.4 SQLi in CosmosDBVectorStore (fixed 1.0.6/1.1.5)
CVE-2026-40978 8.8 - High - April 28, 2026

SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

SQL Injection

Spring AI VSCMA Exfiltration via conversationId Injection
CVE-2026-40966 5.9 - Medium - April 28, 2026

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

Authorization

Spring AI 1.0-1.0.5 Query-Language Injection via Unescaped Filters
CVE-2026-40967 8.6 - High - April 28, 2026

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Code Injection

Spring Boot 2.74.0.6 ApplicationPidFileWriter PID File Corruption
CVE-2026-40977 4.7 - Medium - April 27, 2026

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.

insecure temporary file

Spring Boot 4.0.5 Default Security Filter Chain Bypass
CVE-2026-40976 9.1 - Critical - April 27, 2026

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.04.0.5; upgrade to 4.0.6 or later per vendor advisory.

AuthZ

Spring Boot Weak PRNG in Random Value Property Source (before 4.0.6)
CVE-2026-40975 4.8 - Medium - April 27, 2026

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Use of Insufficiently Random Values

Spring Boot Cassandra SSL Hostname Verification Failure (pre 4.0.6, 3.5.14, ...)
CVE-2026-40974 5 - Medium - April 27, 2026

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

Improper Certificate Validation

Spring Boot 4 Session Hijack via ApplicationTemp TempDir
CVE-2026-40973 7 - High - April 27, 2026

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

Insecure Temporary File

Timing Attack RCE via Remote Secret Comparison in Spring Boot 3.x
CVE-2026-40972 7.5 - High - April 27, 2026

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Observable Timing Discrepancy

Spring Boot 4.0.04.0.5/3.5.03.5.13 RabbitMQ SSL Hostname Verification Bypass
CVE-2026-40971 5 - Medium - April 27, 2026

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14) per vendor advisory.

Improper Certificate Validation

Spring Boot 4.0.04.0.5: Omitted Hostname Verification in ES SSL Auto-Config
CVE-2026-40970 5 - Medium - April 27, 2026

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.04.0.5; upgrade to 4.0.6 or later per vendor advisory.

Improper Certificate Validation

Spring Security 7.0.07.0.4: Auth ByPass via Servlet Path
CVE-2026-22754 7.5 - High - April 22, 2026

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Authorization

Spring Security 7.0.0-7.0.4 Matcher Security Bypass
CVE-2026-22753 7.5 - High - April 22, 2026

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Protection Mechanism Failure

Spring Security 6/7 JWT Decoder Missing Token Validator (CVE-2026-22748)
CVE-2026-22748 5.3 - Medium - April 22, 2026

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Improper Input Validation

Spring Security 7.0.0-7.0.4 SubjectX500PrincipalExtractor X.509 CN flaw impersonation
CVE-2026-22747 6.8 - Medium - April 22, 2026

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Improper Validation of Certificate with Host Mismatch

Spring Security 5.7-7.0 DAO Auth Timing Attack Bypass via Disabled/Locked
CVE-2026-22746 3.7 - Low - April 22, 2026

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Observable Timing Discrepancy

SpringSec TOCTOU Race JdbcOneTimeTokenSrv v6.4.0-6.4.15/6.5.0-6.5.9/7.0.0-7.0.4
CVE-2026-22751 4.8 - Medium - April 21, 2026

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

TOCTTOU

Spring Cloud Gateway SSL Bundle Config Ignored (CVE-2026-22750)
CVE-2026-22750 7.5 - High - April 10, 2026

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0  available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.

External Control of System or Configuration Setting

Spring AI redis-store TAG Injection via RedisFilterExpressionConverter (pre1.0.5/1.1.3)
CVE-2026-22744 7.5 - High - March 27, 2026

In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Neo4jVectorFilterExpressionConverter Cypher Injection in SpringAI Neo4j Store <1.0.5 & <1.1.4
CVE-2026-22743 7.5 - High - March 27, 2026

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

SQL Injection

Spring AI spring-ai-bedrock-converse SSRF in BedrockProxyChatModel pre-1.1.4
CVE-2026-22742 8.6 - High - March 27, 2026

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

SSRF

Spring AI SpEL Injection via SimpleVectorStore (1.0.01.0.4, 1.1.01.1.3)
CVE-2026-22738 9.8 - Critical - March 27, 2026

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Argument Injection

Spring Cloud PT via Profile Param (<3.1.13/4.1.9/4.2.3/4.3.2/5.0.2)
CVE-2026-22739 8.6 - High - March 24, 2026

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Directory traversal

Spring Framework 5.3.46-7.0.5 Path Traversal via Java Script Views
CVE-2026-22737 5.9 - Medium - March 19, 2026

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Directory traversal

Spring MVC/WebFlux SSE Stream Corruption for v5.3-7.0.5
CVE-2026-22735 2.6 - Low - March 19, 2026

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Improper Locking

Spring Security 4.0.3 Auth Bypass via CloudFoundry Actuator (CVE-2026-22733)
CVE-2026-22733 8.2 - High - March 19, 2026

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.

Authentication Bypass Using an Alternate Path or Channel

Spring Security HTTP Header Write Failure before 7.0.4
CVE-2026-22732 9.1 - Critical - March 19, 2026

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

forced browsing

Auth Bypass in Spring Boot Actuator Health Group <=4.0.3
CVE-2026-22731 8.2 - High - March 19, 2026

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.

Authentication Bypass Using an Alternate Path or Channel

JSONPath Injection in Spring AI AbstractFilterExpressionConverter
CVE-2026-22729 8.6 - High - March 18, 2026

A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.

EL Injection

SQLi in Spring AI's MariaDBFilterExpressionConverter Bypass Metadata Controls
CVE-2026-22730 8.8 - High - March 18, 2026

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization.

SQL Injection

Command Injection in VSCode Spring CLI Extension
CVE-2026-22718 6.8 - Medium - January 14, 2026

The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

Shell injection

Spring Framework STOMP/WS Bypass (5.3.x6.2.x)
CVE-2025-41254 4.3 - Medium - October 16, 2025

STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.11 * 6.1.0 - 6.1.23 * 6.0.x - 6.0.29 * 5.3.0 - 5.3.45 * Older, unsupported versions are also affected. MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.12OSS6.1.x6.1.24 Commercial https://enterprise.spring.io/ 6.0.xN/A Out of support https://spring.io/projects/spring-framework#support 5.3.x5.3.46 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CreditThis vulnerability was discovered and responsibly reported by Jannis Kaiser.

Session Riding

Spring Cloud Gateway Webflux Exposes Env Vars via SpEL
CVE-2025-41253 7.5 - High - October 16, 2025

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: * The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). * An admin or untrusted third party using Spring Expression Language (SpEL) to access environment variables or system properties via routes. * An untrusted third party could create a route that uses SpEL to access environment variables or system properties if: * The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway and management.endpoint.gateway.enabled=trueor management.endpoint.gateway.access=unrestricte. * The actuator endpoints are available to attackers. * The actuator endpoints are unsecured.

EL Injection

Spring Framework Generic Annotation Detection Flaw in @EnableMethodSecurity
CVE-2025-41249 7.5 - High - September 16, 2025

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41248 https://spring.io/security/cve-2025-41248 .

AuthZ

Spring MVC Path Traversal on Non-Compliant Servlet Containers (CVE-2025-41242)
CVE-2025-41242 5.9 - Medium - August 18, 2025

Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.

Directory traversal

Spring Framework 6.x RFD via CD#filename(String, Charset)
CVE-2025-41234 - June 12, 2025

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(String, Charset). * The value for the filename is derived from user-supplied input. * The application does not sanitize the user-supplied input. * The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: * The application does not set a Content-Disposition response header. * The header is not prepared with org.springframework.http.ContentDisposition. * The filename is set via one of: * ContentDisposition.Builder#filename(String), or * ContentDisposition.Builder#filename(String, ASCII) * The filename is not derived from user-supplied input. * The filename is derived from user-supplied input but sanitized by the application. * The attacker cannot inject malicious content in the downloaded content of the response. Affected Spring Products and VersionsSpring Framework: * 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older, unsupported versions are not affected MitigationUsers of affected versions should upgrade to the corresponding fixed version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29 Commercial https://enterprise.spring.io/ No further mitigation steps are necessary. CWE-113 in `Content-Disposition` handling in VMware Spring Framework versions 6.0.5 to 6.2.7 allows remote attackers to launch Reflected File Download (RFD) attacks via unsanitized user input in `ContentDisposition.Builder#filename(String, Charset)` with non-ASCII charsets.