How is CVE-2026-41842 exploited?

Network reachability (required): The attacker must reach the Spring MVC or WebFlux service over the network; no local access or special network position is needed. Authentication (not-required): No account or credential of any kind is needed to send the malformed resource request that triggers the DoS condition. Victim interaction (not-required): The attacker sends requests directly to the service; no user action or social-engineering step is involved. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental preconditions.

What is the impact of CVE-2026-41842?

Crashes or indefinitely stalls the targeted Spring MVC or WebFlux application process, taking the service offline for legitimate users. Sustained request floods can pin CPU or memory on the host, potentially affecting other co-located services on the same container or node. No confidential data is read and no stored data is modified; impact is limited entirely to availability.

Back to search

HIGHCVE-2026-41842Published 2026-06-09Modified 2026-06-09CNA vmware

CVE-2026-41842: Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 5.3.49
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in Spring Framework's Spring MVC and WebFlux components, specifically in the static resource resolution path used by versioned resources. The vulnerability is reachable over the network with no authentication required, as confirmed by the CVSS vector (AV:N, PR:N). Successful exploitation allows an attacker to exhaust server resources and crash or hang the affected application. Patched-image rebuilds at versions 5.3.49, 6.1.28, 6.2.19, and 7.0.8 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-41842 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Spring Framework directly. Coverage applies to all four affected Spring Framework release lines (5.3.x, 6.1.x, 6.2.x, and 7.0.x).

Available

Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH (CVSS v3.1) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Findings can be directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the applicable fix version (5.3.49, 6.1.28, 6.2.19, or 7.0.8, depending on which release line is in use) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Spring MVC or WebFlux service over the network; no local access or special network position is needed.
AuthenticationNot required
No account or credential of any kind is needed to send the malformed resource request that triggers the DoS condition.
Victim interactionNot required
The attacker sends requests directly to the service; no user action or social-engineering step is involved.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, specific memory layout, or other environmental preconditions.

Blast Radius

Crashes or indefinitely stalls the targeted Spring MVC or WebFlux application process, taking the service offline for legitimate users.
Sustained request floods can pin CPU or memory on the host, potentially affecting other co-located services on the same container or node.
No confidential data is read and no stored data is modified; impact is limited entirely to availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41842 is active across all ingestion cycles, matching images in every connected registry and pipeline against all four affected Spring Framework release lines. Where a customer's images are found to carry an affected version, a patched-image rebuild targeting the appropriate fix release (5.3.49, 6.1.28, 6.2.19, or 7.0.8) becomes available. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. For teams that need to mitigate before a rebuild is deployed, recommended compensating controls include applying network policy to restrict which upstream clients can reach static resource endpoints, enabling rate-limiting at the ingress or load-balancer layer, and disabling versioned resource handling via feature-flag configuration if the application permits it.

See how HarborGuard automates this

Fix available

5.3.496.1.286.2.197.0.8

Affected packages

Spring / Spring Framework
< 7.0.8 (from 7.0.0) · < 6.2.19 (from 6.2.0) · < 6.1.28 (from 6.1.0) · < 5.3.49 (from 5.3.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available