Cache Poisoning Vulnerability in Spring MVC and WebFlux Applications
CVE-2026-22741

NONE

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-22741?

Applications utilizing Spring MVC or Spring WebFlux may be susceptible to cache poisoning when configured for resource chain support with caching enabled. This vulnerability occurs if applications allow for encoded resources resolution and the resource cache is initially empty, enabling attackers to exploit these conditions. By sending specially crafted requests, an attacker can inject malicious resources into the cache, leading to a potential denial of service as the front-end application may function improperly for users. This emphasizes the need for vigilant configuration and monitoring to safeguard against such vulnerabilities.

Affected Version(s)

Spring Framework 7.0.0

Spring Framework 7.0.0 < 7.0.7

Spring Framework 6.2.0 < 6.2.18

References

https://spring.io/security/cve-2026-22741

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vect...

CVSS V3.1

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Jan 9, 2026

Credit

Yuki Matsuhashi .

CVE-2026-22741 Data

JSON

Vmware

What is CVE-2026-22741?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit