CVE-2026-22741 Overview
A cache poisoning vulnerability exists in Spring MVC and Spring WebFlux applications when resolving static resources. This vulnerability allows attackers to manipulate the resource cache by sending malicious requests, causing resources to be cached with incorrect encoding. The attack requires specific conditions to be met, including enabled resource chain caching with encoded resources resolution support and an empty resource cache at the time of attack.
Critical Impact
Successful exploitation can result in denial of service by breaking the front-end application for clients through cache poisoning with incorrectly encoded resources.
Affected Products
- Spring MVC applications with resource chain caching enabled
- Spring WebFlux applications with resource chain caching enabled
- Applications configured with encoded resources resolution support
Discovery Timeline
- 2026-04-29 - CVE CVE-2026-22741 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-22741
Vulnerability Analysis
This cache poisoning vulnerability (CWE-524: Use of Cache Containing Sensitive Information) affects Spring Framework's static resource handling mechanism. The vulnerability arises in the resource chain support functionality when caching is enabled alongside encoded resources resolution.
The attack is only possible when all of the following conditions are met:
- The application uses Spring MVC or Spring WebFlux
- The application configures the resource chain support with caching enabled
- The application adds support for encoded resources resolution
- The resource cache is empty when the attacker has access to the application
When these conditions align, an attacker can craft malicious requests that poison the resource cache. The cache becomes populated with resources using incorrect encoding, which subsequently serves corrupted or broken resources to legitimate users.
Root Cause
The root cause lies in how Spring Framework handles encoded resource resolution when caching is enabled. The resource caching mechanism does not properly validate or segregate resources based on their encoding type during cache population. This allows an attacker to inject incorrectly encoded resources into the cache before legitimate requests populate it with proper resources.
Attack Vector
The attack requires network access and user interaction, with high complexity due to the specific conditions that must be met. An attacker must send specially crafted HTTP requests to the application while the resource cache is empty. These requests manipulate the encoding resolution process, causing the cache to store resources with wrong encoding specifications. Once the cache is poisoned, all subsequent users requesting these resources receive the incorrectly encoded versions, effectively breaking the front-end application functionality.
The attack targets the static resource handling pipeline in Spring's web infrastructure. By exploiting the encoded resources resolution feature, attackers can cause the application to serve broken JavaScript, CSS, or other static assets to users, resulting in a degraded or non-functional user interface.
Detection Methods for CVE-2026-22741
Indicators of Compromise
- Unexpected encoding errors in browser console logs when loading static resources
- User reports of broken front-end functionality or corrupted assets
- Anomalous requests to static resource endpoints with unusual encoding headers or parameters
- Cache entries containing incorrectly encoded static resources
Detection Strategies
- Monitor HTTP access logs for unusual patterns of requests to static resource endpoints, particularly during application startup or cache clear events
- Implement integrity checking for cached resources to detect encoding mismatches
- Configure alerting for increased rates of client-side errors related to resource loading
- Deploy web application firewalls (WAF) with rules to detect cache poisoning attempt patterns
Monitoring Recommendations
- Enable detailed logging for Spring's resource handling and caching components
- Monitor application performance metrics for sudden increases in front-end errors
- Set up synthetic monitoring to continuously verify static resource integrity
- Track cache hit/miss ratios and investigate anomalies during low-traffic periods
How to Mitigate CVE-2026-22741
Immediate Actions Required
- Review application configuration to determine if resource chain caching with encoded resources resolution is enabled
- Consider temporarily disabling resource caching until patches are applied
- Implement cache warming strategies with verified resources during application startup
- Restrict access to the application during cache initialization periods if possible
Patch Information
Spring has released a security advisory addressing this vulnerability. Administrators should consult the Spring Security Advisory for CVE-2026-22741 for official patch information and updated versions of the affected components. Apply the vendor-provided patches as soon as they become available in your deployment pipeline.
Workarounds
- Disable encoded resources resolution if not strictly required by the application
- Pre-warm the resource cache during application initialization with trusted resources before accepting external traffic
- Implement request validation to filter potentially malicious encoding-related parameters
- Configure the application behind a CDN or reverse proxy with its own caching layer to reduce direct cache manipulation exposure
# Configuration example - Disable encoded resources resolution in Spring Boot application.properties
spring.web.resources.chain.enabled=false
# Or disable caching specifically while keeping resource chain
spring.web.resources.cache.period=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
