Bug 2487805 (CVE-2026-41001)

Summary: CVE-2026-41001 spring-boot: Spring Boot: Local attacker can manipulate data directory due to predictable path
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abrianik, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, dlofthou, drichtar, ehugonne, ggrzybek, gtanzill, istudens, ivassile, iweiss, jbuscemi, jraez, mosmerov, mposolda, msvehla, nwallace, parichar, pesilva, pjindal, pmackay, rhel-process-autobot, rmartinc, rstancel, sdawley, ssilvert, sthorger, tasato, thjenkin, vdosoudi, vmuzikar, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Boot. The ArtemisEmbeddedConfigurationFactory component uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can exploit this by pre-creating this predictable directory or placing a symlink before the application starts. This could allow the attacker to manipulate the data directory, potentially leading to information disclosure, data modification, or denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-11 07:01:44 UTC
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.

Affected versions:
Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.