Listen to this Post
CVE-2026-41841 is an information disclosure vulnerability affecting Spring MVC and WebFlux applications that resolve static resources through resource handlers. The flaw resides in how the shared static resource cache interacts with multiple resource handlers configured with different authentication requirements. Spring applications often set up several resource handlers for different locations; for instance, one handler might serve publicly available assets from /public/, while another serves sensitive resources from /secure/, the latter protected by authentication. If both handlers share the same cache, an attacker can exploit a subtle race condition in the caching mechanism. The attack requires the following conditions: the application uses Spring MVC or Spring WebFlux; it has configured multiple resource handlers pointing to different resource locations; at least one of those handlers requires authentication to access its resources; and a shared cache is used across these configurations. When a publicly available resource (for example, style.css) is requested for the first time, Spring resolves it through the public handler, caches the result, and stores the resolved file path in the shared cache. Later, if an attacker requests the same resource name (e.g., style.css) from the protected location (e.g., /secure/style.css), Spring checks the cache and mistakenly returns the already-cached public resource, completely bypassing any authentication checks. This flaw essentially allows an unauthenticated attacker to retrieve protected static resources by merely knowing or guessing their filenames, as long as a public resource with an identical name has been cached earlier. The vulnerability is triggered at the point where the `ResourceResolver` chain determines the resource location: the cache key is based on the resource path and not on the originating resource handler, leading to the confusion. This attack is remote, requires no user interaction, and has a high attack complexity because the attacker needs to be aware of the shared cache configuration and the presence of identically named public resources. Successful exploitation can expose sensitive files such as configuration files, internal logs, or any other protected static assets, potentially leading to further compromise of the application environment. The vulnerability has been patched in Spring Framework versions 5.3.49, 6.1.28, 6.2.19, and 7.0.8.
DailyCVE Form:
Platform: Spring MVC/WebFlux
Version: 5.3.0-5.3.48,6.1.0-6.1.27,6.2.0-6.2.18,7.0.0-7.0.7
Vulnerability : Information Disclosure
Severity: Medium (5.9)
date: 2026-06-09
Prediction: 2026-06-08
What Undercode Say
Check Spring Framework version
grep -A 2 "spring-framework" pom.xml | grep "<version>" | head -1
Detect vulnerable resource handlers
curl -s -I https://target.com/public/css/style.css | grep -i "cache|etag"
Test for cache pollution vulnerability
curl -s -o /dev/null -w "%{http_code}\n" https://target.com/public/favicon.ico
curl -s -o /dev/null -w "%{http_code}\n" https://target.com/admin/favicon.ico
Check for identical filenames across handlers
curl -s https://target.com/public/js/app.js > public.js
curl -s https://target.com/internal/js/app.js > internal.js
diff public.js internal.js
Exploit
Step 1: Prime the cache with a public resource curl -X GET "https://target.com/public/logo.png" --output /dev/null Step 2: Access the same resource name under a protected handler curl -X GET "https://target.com/secure/logo.png" --output stolen_logo.png Step 3: If successful, the cached public logo is returned, bypassing authentication The attacker now has access to the protected resource
Protection
Upgrade to Spring Framework version 5.3.49, 6.1.28, 6.2.19, 7.0.8, or later.
If an immediate upgrade is not possible, isolate the application behind a network filter that restricts access to static resource URLs.
Employ application firewall rules to block suspicious requests targeting unknown or internal paths.
Review resource handling configurations and enforce strict cache policies that prevent path disclosure.
Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication controls and retrieve protected static resources. This can expose sensitive files such as configuration files, log files, source code, or other internal system data, leading to a breach of confidentiality and potentially enabling further attacks on the application environment. The CVSS score of 5.9 indicates a moderate severity, but the actual impact can be critical if highly sensitive information is disclosed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
