CVE-2026-41854 PUBLISHED

Spring Framework Server-Side Request Forgery via UriComponentsBuilder

Assigner: vmware
Reserved: 22.04.2026 Published: 09.06.2026 Updated: 09.06.2026

Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Framework
Versions	Default: unaffected affected from 7.0.0 to 7.0.8 (excl.) affected from 6.2.0 to 6.2.19 (excl.)

References

https://spring.io/security/cve-2026-41854

Problem Types

CWE-918: Server-Side Request Forgery (SSRF) CWE

Impacts

Incorrect host parsing in UriComponentsBuilder allows an attacker to supply an externally provided URL string that bypasses validation, resulting in a server-side request forgery attack.