Spring Boot Artemis DataDir Path Prediction 2.7.0-4.0.6 Local Attack
CVE-2026-41001 Published on June 11, 2026
Predictable Temp Directory in Artemis Auto-configuration
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.
Affected versions:
Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
Vulnerability Analysis
CVE-2026-41001 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
Insecure Temporary File
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Products Associated with CVE-2026-41001
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Boot:- Version 4.0.0 and below 4.0.7 is affected.
- Version 3.5.0 and below 3.5.15 is affected.
- Version 3.4.0 and below 3.4.17 is affected.
- Version 3.3.0 and below 3.3.20 is affected.
- Version 2.7.0 and below 2.7.34 is affected.