Stream Corruption in Spring MVC and WebFlux Applications
CVE-2026-22735

2.6LOW

Key Information:

Vendor: Spring
Status: Spring Foundation
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-22735?

Spring MVC and WebFlux applications are susceptible to stream corruption vulnerabilities when utilizing Server-Sent Events (SSE). This potentially allows attackers to compromise data integrity by manipulating the data stream. The affected versions of the Spring Framework include versions 7.0.0 to 7.0.5, 6.2.0 to 6.2.16, 6.1.0 to 6.1.25, and 5.3.0 to 5.3.46. Organizations utilizing these versions should prioritize updated patches to mitigate risks associated with this vulnerability.

Affected Version(s)

Spring Foundation 7.0.0 <= 7.0.5

Spring Foundation 6.2.0 <= 6.2.16

Spring Foundation 6.1.0 <= 6.1.25

References

https://spring.io/security/cve-2026-22735

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2026-22735 Data

JSON