CVE-2026-41001 Overview
CVE-2026-41001 affects Spring Boot's ArtemisEmbeddedConfigurationFactory, which uses a fixed, static path for the embedded Apache Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symbolic link before the application starts. The issue maps to [CWE-377] Insecure Temporary File and stems from predictable filesystem path usage in a shared location.
Critical Impact
Local attackers with low privileges on the same host can manipulate the embedded Artemis broker's data directory, leading to limited confidentiality, integrity, and availability impact on broker data.
Affected Products
- Spring Boot 4.0.0 through 4.0.6
- Spring Boot 3.5.0 through 3.5.14, 3.4.0 through 3.4.16, 3.3.0 through 3.3.19
- Spring Boot 2.7.0 through 2.7.33
Discovery Timeline
- 2026-06-11 - CVE-2026-41001 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-41001
Vulnerability Analysis
Spring Boot ships auto-configuration for an embedded Apache Artemis broker through ArtemisEmbeddedConfigurationFactory. When an application does not explicitly set spring.artemis.embedded.data-directory, the factory falls back to a fixed, predictable filesystem path. This path is the same across every host that runs the same Spring Boot version with default settings.
The predictable location is a textbook insecure temporary directory pattern. Any local user on the host can create the directory, change its permissions, or replace it with a symbolic link before the Spring Boot process starts. When the application later initializes the embedded broker, it reads and writes broker state through the attacker-controlled path.
The resulting impact is bounded by the data the embedded broker stores: queued messages, journal files, and broker metadata. The attacker can read, modify, or destroy this data, and can cause the broker to fail at startup by manipulating directory ownership.
Root Cause
The root cause is hardcoded use of a shared, world-reachable directory as the default data location. The factory does not generate a per-instance path, does not validate ownership of the existing directory, and does not refuse to start when the path is a symlink. This matches [CWE-377] Insecure Temporary File, where security relies on the absence of a pre-existing attacker-controlled object at a predictable path.
Attack Vector
Exploitation requires local access to the host with low privileges and no user interaction. The attacker performs the following sequence:
- Identifies a host running Spring Boot with the embedded Artemis broker enabled.
- Creates the predictable default data directory, or replaces it with a symlink to a sensitive location, before the Spring Boot process starts.
- Waits for the Spring Boot service to launch and initialize the broker against the attacker-controlled path.
- Reads broker journal contents, tampers with queued messages, or triggers denial of service against the broker.
No public proof-of-concept code is referenced in the advisory. For implementation specifics, see the Spring Security advisory for CVE-2026-41001.
Detection Methods for CVE-2026-41001
Indicators of Compromise
- Pre-existing Artemis data directory owned by a non-service local user prior to Spring Boot startup.
- Symbolic links at the default Artemis data path pointing to unrelated filesystem locations.
- Artemis journal files with mismatched ownership compared to the Spring Boot process user.
- Broker startup failures referencing permission or path errors on the data directory.
Detection Strategies
- Audit running Spring Boot applications for unset spring.artemis.embedded.data-directory configuration.
- Inventory hosts running affected Spring Boot versions and confirm whether the embedded Artemis broker is active.
- Inspect the default Artemis directory at process startup with file integrity monitoring to detect pre-creation by other users.
- Track creation of symlinks in shared temporary locations by non-privileged accounts.
Monitoring Recommendations
- Forward filesystem audit logs for shared temporary directories into a centralized SIEM for cross-host correlation.
- Alert when a non-service account creates or modifies the Artemis default data path.
- Monitor Spring Boot application logs for Artemis initialization errors that indicate path tampering.
How to Mitigate CVE-2026-41001
Immediate Actions Required
- Upgrade Spring Boot to a fixed maintenance release on your current minor line as listed in the vendor advisory.
- Explicitly configure spring.artemis.embedded.data-directory to a path inside an application-owned directory with restrictive permissions.
- Restrict local shell access on hosts running Spring Boot with the embedded Artemis broker.
- Validate that the configured Artemis data directory is not a symlink and is owned by the service account.
Patch Information
The vendor advisory at Spring Security CVE-2026-41001 lists the fixed versions for each supported Spring Boot minor line. Upgrade from any affected version in the 2.7.x, 3.3.x, 3.4.x, 3.5.x, or 4.0.x series to the corresponding patched release.
Workarounds
- Set spring.artemis.embedded.data-directory to a path under the application's private directory tree.
- Apply 0700 permissions to the parent directory and ensure ownership matches the Spring Boot runtime user.
- Disable the embedded Artemis broker if it is not required and use an external broker instead.
- Enforce least-privilege local accounts so untrusted users cannot write to predictable filesystem locations.
# Configuration example: pin the embedded Artemis data directory
# application.properties
spring.artemis.mode=embedded
spring.artemis.embedded.data-directory=/var/lib/myapp/artemis-data
# Filesystem hardening
install -d -o myapp -g myapp -m 0700 /var/lib/myapp/artemis-data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
