2486714 – (CVE-2026-41843) CVE-2026-41843 spring-webflux: spring-webmvc: Spring Framework: Information Disclosure via Path Traversal

Bug 2486714 (CVE-2026-41843) - CVE-2026-41843 spring-webflux: spring-webmvc: Spring Framework: Information Disclosure via Path Traversal

Summary: CVE-2026-41843 spring-webflux: spring-webmvc: Spring Framework: Information D...

Keywords:
Status:	NEW
Alias:	CVE-2026-41843
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488313 2488314
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-09 05:02 UTC by OSIDB Bzimport
Modified:	2026-06-12 10:47 UTC (History)
CC List:	58 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-09 05:02:06 UTC

Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Note You need to log in before you can comment on or make changes to this bug.

abrianik
ant
aschwart
asoldano
aszczucz
avibelli
bbaranow
bgeorges
bmaxwell
boliveir
bstansbe
cescoffi
dandread
dkreling
dlofthou
drichtar
ggrzybek
gmalinko
gsmet
gtanzill
istudens
ivassile
iweiss
janstey
jbuscemi
jmartisk
jraez
lthon
manderse
mosmerov
mposolda
msvehla
nwallace
olubyans
parichar
pdelbell
pesilva
pgallagh
pjindal
pmackay
probinso
rguimara
rhel-process-autobot
rmartinc
rruss
rstancel
rstepani
rsvoboda
sbiarozk
sdawley
ssilvert
sthorger
tasato
thjenkin
tqvarnst
vdosoudi
vmuzikar
watson-tool-maintainers