CVE-2026-41001 PUBLISHED

Predictable Temp Directory in Artemis Auto-configuration

Assigner: vmware
Reserved: 16.04.2026 Published: 11.06.2026 Updated: 11.06.2026

Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts.

Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 5.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Boot
Versions	Default: unaffected affected from 4.0.0 to 4.0.7 (excl.) affected from 3.5.0 to 3.5.15 (excl.) affected from 3.4.0 to 3.4.17 (excl.) affected from 3.3.0 to 3.3.20 (excl.) affected from 2.7.0 to 2.7.34 (excl.)

References

https://spring.io/security/cve-2026-41001

Problem Types

CWE-377: Insecure Temporary File CWE

Impacts

A local attacker on the same host can pre-create a predictable Artemis broker data directory or place a symlink before the application starts, enabling message queue hijacking, malicious message injection, or code execution via deserialization.