CVE-2026-41843: VMware Spring Framework Path Traversal

CVE-2026-41843 Overview

CVE-2026-41843 is a path traversal vulnerability [CWE-22] affecting Spring MVC and WebFlux applications when resolving static resources. Attackers can craft requests that escape the intended static resource directory and access files outside the configured root. The flaw impacts Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The vulnerability is exploitable over the network without authentication or user interaction, though successful exploitation requires high attack complexity.

Critical Impact
Unauthenticated attackers can read sensitive files outside the static resource root, potentially exposing configuration data, credentials, or application source code.

Affected Products

Spring Framework 7.0.0 through 7.0.7
Spring Framework 6.2.0 through 6.2.18, and 6.1.0 through 6.1.27
Spring Framework 5.3.0 through 5.3.48

Discovery Timeline

2026-06-09 - CVE-2026-41843 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-41843

Vulnerability Analysis

The vulnerability resides in the static resource handling logic of Spring MVC and Spring WebFlux. Both frameworks expose static resources through configurable resource handlers that map URL patterns to filesystem or classpath locations. When the resource resolver normalizes user-supplied path segments, certain encoded or malformed traversal sequences are not consistently rejected.

An attacker who crafts a request targeting a static resource endpoint can append traversal sequences to read files outside the declared resource root. The result is confidentiality loss without modification or service disruption, consistent with the impact profile assigned by the vendor.

The vulnerability carries high attack complexity, which indicates that exploitation depends on specific resource handler configurations and request encoding conditions. Applications that expose static content over the internet and rely on default resource resolution chains are the primary risk population.

Root Cause

The root cause is incomplete path normalization during static resource resolution [CWE-22]. The resolver fails to canonicalize all traversal forms before checking that the resolved path remains under the configured base directory. This permits requests containing encoded or compound traversal sequences to bypass the containment check.

Attack Vector

Exploitation occurs over the network through standard HTTP requests directed at endpoints served by Spring's static resource handlers. No authentication or user interaction is required. The attacker sends a crafted request whose path component contains traversal sequences that survive normalization and escape the static resource root. The vulnerability mechanism is described in the Spring Security Advisory for CVE-2026-41843.

Detection Methods for CVE-2026-41843

Indicators of Compromise

HTTP request logs containing encoded traversal sequences such as %2e%2e%2f, ..%2f, or ..\ targeting static resource URL prefixes including /resources/, /static/, /webjars/, and /public/.
Successful HTTP 200 responses to requests for paths that include traversal characters, especially when the returned content type does not match the requested static asset type.
Outbound reads of sensitive files such as application.properties, application.yml, or /WEB-INF/ resources from static resource endpoints.

Detection Strategies

Inspect access logs for requests to static resource handlers containing .., encoded dot sequences, or backslash variants in the path component.
Correlate web server logs with application logs to identify resource resolutions that succeed against paths outside expected static directories.
Apply web application firewall signatures that flag path traversal patterns in URI paths and query strings.

Monitoring Recommendations

Enable verbose logging on Spring's ResourceHttpRequestHandler and equivalent WebFlux handlers to capture resolved file paths.
Monitor for unusual file-read activity by the JVM process targeting paths outside declared static resource directories.
Alert on response payloads from static endpoints containing configuration-file markers such as spring.datasource, password=, or private key headers.

How to Mitigate CVE-2026-41843

Immediate Actions Required

Upgrade Spring Framework to a fixed version as referenced in the Spring Security Advisory for CVE-2026-41843.
Inventory applications using Spring MVC or WebFlux and identify all configured static resource handlers and their backing locations.
Restrict static resource directories so they contain only assets safe for public exposure, excluding configuration files and credentials.

Patch Information

Pivotal has published fixed releases addressing this vulnerability. Consult the Spring Security Advisory for CVE-2026-41843 for the specific patched versions corresponding to the 7.0.x, 6.2.x, 6.1.x, and 5.3.x branches and apply the upgrade that matches your deployment branch.

Workarounds

Place a reverse proxy or web application firewall in front of the application to reject requests whose URI paths contain .. or encoded traversal sequences before they reach Spring.
Reconfigure static resource handlers to serve from directories that contain no sensitive content, isolating static assets from application configuration and source files.
Disable unused static resource handlers and remove default mappings such as /** to classpath:/static/ when not required.

bash

# Example WAF rule to block path traversal in static resource requests
SecRule REQUEST_URI "@rx (?:\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|\.\.%2f)" \
    "id:1004184,phase:1,deny,status:400,msg:'Path traversal attempt in static resource request'"