Denial of Service Vulnerability in Spring MVC and WebFlux on Windows Platforms
CVE-2026-22745

5.3MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-22745?

Spring MVC and WebFlux applications can be susceptible to Denial of Service attacks, particularly when serving static resources from a file system on Windows platforms. Under specific conditions—namely when the application utilizes Spring MVC or WebFlux and responds to static content requests—attackers can exploit the system by sending crafted requests that are intentionally slow to resolve, thereby maintaining long-lived HTTP connections. This prolonged connection usage can ultimately lead to application unavailability, affecting service delivery and user access.

Affected Version(s)

Spring Framework 7.0.0

Spring Framework 7.0.0 < 7.0.7

Spring Framework 6.2.0 < 6.2.18

References

https://spring.io/security/cve-2026-22745

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vect...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Jan 9, 2026

Credit

Bocheng Xiang ( @crispr ) from Fudan University.

CVE-2026-22745 Data

JSON

Vmware

What is CVE-2026-22745?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit