Stream Corruption in Spring MVC and WebFlux Applications
CVE-2026-22735

2.6LOW

Key Information:

Vendor: Spring
Status: Spring Foundation
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-22735?

Spring MVC and WebFlux applications are susceptible to stream corruption vulnerabilities when utilizing Server-Sent Events (SSE). This potentially allows attackers to compromise data integrity by manipulating the data stream. The affected versions of the Spring Framework include versions 7.0.0 to 7.0.5, 6.2.0 to 6.2.16, 6.1.0 to 6.1.25, and 5.3.0 to 5.3.46. Organizations utilizing these versions should prioritize updated patches to mitigate risks associated with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Spring Foundation 7.0.0 <= 7.0.5

Spring Foundation 6.2.0 <= 6.2.16

Spring Foundation 6.1.0 <= 6.1.25

References

https://spring.io/security/cve-2026-22735

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Jan 9, 2026

JSON

Spring