Direct Request ('Forced Browsing') Affecting org.springframework:spring-webmvc package, versions [5.3.0, 6.0.0)[6.1.0, 6.2.19)[7.0.0-M1, 7.0.8)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.31% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-17254527
  • published9 Jun 2026
  • disclosed8 Jun 2026
  • creditUnknown

Introduced: 8 Jun 2026

NewCVE-2026-41841  (opens in a new tab)
CWE-425  (opens in a new tab)

How to fix?

Upgrade org.springframework:spring-webmvc to version 6.0.0, 6.2.19, 7.0.8 or higher.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Direct Request ('Forced Browsing') via shared caching of static resource resolutions across resource handlers. An attacker can gain unauthorized access to protected resources when a shared cache stores a resource resolution result from a publicly accessible handler and subsequently reuses it for a protected handler serving a resource with the same name. This can cause resources that should require authentication to be served without proper access control checks.

Note: This is only exploitable if the application uses Spring MVC or Spring WebFlux, configures multiple resource handlers with different resource locations, protects at least one handler with authentication, and uses a shared cache for resource resolution.

CVSS Base Scores

version 4.0
version 3.1