CVE-2026-22741

Static resource cache poisoning in Spring MVC and WebFlux

Assigner: vmware
Reserved: 09.01.2026 Published: 29.04.2026 Updated: 29.04.2026

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

the application is using Spring MVC or Spring WebFlux
the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled
the application adds support for encoded resources resolution
the resource cache must be empty when the attacker has access to the application

When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	VMware
Product	Spring Framework
Versions	Default: affected affected from 7.0.0 to 7.0.7 (excl.) affected from 6.2.0 to 6.2.18 (excl.) affected from 6.1.0 to 6.1.27 (excl.) affected from 5.3.0 to 5.3.48 (excl.)

Vendor

VMware

Product

Spring Framework

Versions

Default: affected

affected from 7.0.0 to 7.0.7 (excl.)
affected from 6.2.0 to 6.2.18 (excl.)
affected from 6.1.0 to 6.1.27 (excl.)
affected from 5.3.0 to 5.3.48 (excl.)

Credits

Yuki Matsuhashi . finder

References

Problem Types