CVE-2026-41853— Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux
Possible ATT&CK Techniques 1AI
T1071.002 · File Transfer ProtocolsAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Framework | 7.0.0< 7.0.8 | affected |
6.2.0< 6.2.19 | affected | ||
6.1.0< 6.1.28 | affected | ||
5.3.0< 5.3.49 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41853
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Spring Framework 环境问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Spring Framework是Spring开源的一款应用开发框架。 Spring Framework 7.0.0及之前版本、6.2.0及之前版本、6.1.0及之前版本和5.3.0及之前版本存在环境问题漏洞,该漏洞源于Spring MVC和WebFlux应用容易受到Multipart请求夹带攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring Framework | 7.0.0 ~ 7.0.8 | - |
II. Public POCs for CVE-2026-41853
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41853
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41853 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Spring Framework
- CVE-2026-41855
Spring Framework Unsafe Deserialization via Jackson JMS Conv - CVE-2026-41854
Spring Framework Server-Side Request Forgery via UriComponen - CVE-2026-41852
Spring Framework Arbitrary Method Invocation in SpEL Express - CVE-2026-41851
Spring Framework Denial of Service via Unbounded Cache in Sp - CVE-2026-41850
Spring Framework Algorithmic Denial of Service via SpEL Expr
Same vendor: Spring
- CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability - CVE-2026-41700
Cross-Site WebSocket Hijacking in Spring for GraphQL
Same weakness: CWE-444
- CVE-2026-48979
PHP Standard Library: HTTP/2 server-side missing content-len - CVE-2026-54388
Tinyproxy - HTTP Request Smuggling via Duplicate Content-Len - CVE-2026-54387
Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronizati - CVE-2026-50020
Netty's HttpObjectDecoder skips arbitrary initial control ch - CVE-2026-6338
HTTP request smuggling in Kong Enteprise Gateway
V. Comments for CVE-2026-41853
No comments yet