The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22737

CVE-2026-22737: Spring Framework Info Disclosure Bug

CVE-2026-22737 is an information disclosure flaw in Spring Framework affecting applications using Java scripting engine template views. Attackers can access unauthorized files. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: March 27, 2026

CVE-2026-22737 Overview

CVE-2026-22737 is a Path Traversal vulnerability affecting Spring Framework applications that utilize Java scripting engine-enabled template views such as JRuby and Jython. When exploited, this vulnerability allows attackers to disclose content from files outside the configured locations for script template views in both Spring MVC and Spring WebFlux applications.

Critical Impact

Unauthorized disclosure of sensitive file contents from outside configured template directories, potentially exposing configuration files, credentials, or other sensitive application data.

Affected Products

  • Spring Framework versions 7.0.0 through 7.0.5
  • Spring Framework versions 6.2.0 through 6.2.16
  • Spring Framework versions 6.1.0 through 6.1.25
  • Spring Framework versions 5.3.0 through 5.3.46

Discovery Timeline

  • 2026-03-20 - CVE-2026-22737 published to NVD
  • 2026-03-20 - Last updated in NVD database

Technical Details for CVE-2026-22737

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The flaw exists in the handling of script template views within Spring MVC and Spring WebFlux frameworks when Java scripting engines like JRuby or Jython are enabled.

The vulnerability allows an attacker to craft malicious requests that traverse outside the intended template directory structure. By manipulating path parameters or view names, an attacker can access files that should not be accessible through the template rendering mechanism. This can result in the disclosure of sensitive configuration files, application source code, or other protected resources on the server filesystem.

The network-accessible nature of this vulnerability means it can be exploited remotely without requiring authentication, though the attack complexity is considered high as specific conditions must be met for successful exploitation.

Root Cause

The root cause lies in insufficient validation and sanitization of template view paths when Java scripting engines (JRuby, Jython) are enabled for template rendering. The framework fails to properly restrict path resolution, allowing directory traversal sequences to escape the configured script template view directories.

Attack Vector

The attack is conducted over the network by sending specially crafted HTTP requests to a vulnerable Spring application. An attacker manipulates view name resolution or template path parameters to include path traversal sequences (such as ../). When the application attempts to resolve and render the template, the scripting engine follows the traversal path, accessing and potentially disclosing files from unauthorized locations on the filesystem.

The vulnerability requires that the target application has Java scripting engine template views enabled (JRuby, Jython, or similar JSR-223 compliant scripting engines), which limits the scope of affected applications to those with this specific configuration.

Detection Methods for CVE-2026-22737

Indicators of Compromise

  • HTTP requests containing path traversal sequences (../, ..%2f, ..%252f) in template-related parameters
  • Unusual file access patterns in application logs showing attempts to read files outside template directories
  • Error messages or exceptions related to file access outside configured template paths
  • Access logs showing requests targeting script template endpoints with encoded directory traversal patterns

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block path traversal sequences in request parameters
  • Enable verbose logging for template resolution operations to capture suspicious path requests
  • Deploy intrusion detection systems (IDS) with signatures for path traversal attack patterns
  • Monitor application logs for file access exceptions or security-related template rendering errors

Monitoring Recommendations

  • Configure centralized log aggregation to correlate template access events across application instances
  • Set up alerts for repeated failed template resolution attempts that may indicate exploitation attempts
  • Monitor for unusual file read operations by the application process, particularly outside application directories
  • Implement real-time security monitoring for Spring Framework applications with scripting engine templates enabled

How to Mitigate CVE-2026-22737

Immediate Actions Required

  • Upgrade Spring Framework to patched versions: 7.0.6+, 6.2.17+, 6.1.26+, or 5.3.47+
  • If immediate patching is not possible, disable Java scripting engine template views (JRuby, Jython) temporarily
  • Review application configurations to identify components using script template views
  • Implement input validation at the application layer to reject path traversal sequences

Patch Information

Spring has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:

  • Spring Framework 7.0.6 or later for the 7.x branch
  • Spring Framework 6.2.17 or later for the 6.2.x branch
  • Spring Framework 6.1.26 or later for the 6.1.x branch
  • Spring Framework 5.3.47 or later for the 5.3.x branch

For detailed patch information, refer to the Spring Security Advisory for CVE-2026-22737.

Workarounds

  • Disable JRuby, Jython, or other JSR-223 scripting engine template views if not required for application functionality
  • Implement strict input validation on any user-controllable input that influences template view resolution
  • Deploy WAF rules to block requests containing path traversal patterns targeting the application
  • Restrict filesystem permissions for the application process to limit the impact of potential file disclosure
bash
# Configuration example - Restrict template view locations in Spring configuration
# application.properties or application.yml

# Disable script template views if not needed
spring.mvc.view.prefix=/WEB-INF/views/
spring.mvc.view.suffix=.html

# If using script templates, ensure strict path configuration
# and implement custom view resolver with path validation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechSpring Framework
  • SeverityMEDIUM
  • CVSS Score5.9
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-22
  • Technical References
  • Spring Security Advisory CVE-2026-22737
  • Related CVEs
  • CVE-2025-41254: Spring Framework Auth Bypass Vulnerability
  • CVE-2025-41249: Spring Framework Auth Bypass Vulnerability
  • CVE-2025-41242: Spring Framework Path Traversal Flaw
  • CVE-2024-22233: VMware Spring Framework DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English