CVE-2026-22740: DoS in Spring Framework WebFlux
Platform
java
Component
spring-framework
Fixed in
7.0.7
CVE-2026-22740 is a Denial of Service (DoS) vulnerability discovered in the Spring Framework's WebFlux component. This flaw arises when processing multipart requests where large parts are uploaded. The server creates temporary files for these parts, and under certain conditions, these files may not be properly deleted after the request completes, leading to disk space exhaustion. The vulnerability affects versions 5.3.0 through 7.0.7, and a fix is available in version 7.0.7.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
An attacker can exploit CVE-2026-22740 by sending a series of multipart requests containing excessively large parts. The Spring Framework WebFlux server will create temporary files to handle these parts. If these temporary files are not deleted after processing, they will accumulate on the server's disk. Eventually, the disk space will be exhausted, leading to a denial of service. This can disrupt the availability of the application and potentially impact other services running on the same server. The blast radius is limited to the server hosting the vulnerable Spring Framework application, but the impact can be significant if the application is critical.
Exploitation Context
CVE-2026-22740 was published on 2026-04-29. Its severity is currently assessed as medium. No public proof-of-concept (POC) code has been publicly released as of this writing. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Threat Intelligence
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- None — no integrity impact. Attacker cannot modify data.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-22740 is to upgrade to Spring Framework version 7.0.7 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. One approach is to monitor disk space utilization on the server and proactively alert administrators when usage exceeds a threshold. Another is to configure the WebFlux server to limit the maximum size of multipart uploads, preventing excessively large files from being processed. WAF rules can also be implemented to block requests with unusually large multipart content. After upgrading, confirm the fix by sending a test multipart request with a large file and verifying that temporary files are properly deleted.
How to fix
Actualice su framework Spring a la versión 5.3.48, 6.1.27, 6.2.18 o 7.0.7 o superior para mitigar el riesgo de denegación de servicio. Asegúrese de revisar las notas de la versión para cualquier cambio importante o incompatibilidades antes de actualizar. Implemente medidas de seguridad adicionales, como limitar el tamaño máximo de las partes de las solicitudes multipart, para reducir aún más la superficie de ataque.
Frequently asked questions
What is CVE-2026-22740 — DoS in Spring Framework?
CVE-2026-22740 is a Denial of Service vulnerability in the Spring Framework's WebFlux component. It allows attackers to exhaust disk space by sending large multipart requests, potentially disrupting application availability.
Am I affected by CVE-2026-22740 in Spring Framework?
You are affected if your application uses Spring Framework versions 5.3.0 through 7.0.7 and processes multipart requests. Versions 7.0.7 and later are not affected.
How do I fix CVE-2026-22740 in Spring Framework?
Upgrade to Spring Framework version 7.0.7 or later to resolve the vulnerability. If immediate upgrade is not possible, implement temporary mitigations like disk space monitoring and limiting multipart upload sizes.
Is CVE-2026-22740 being actively exploited?
As of now, there are no reports of active exploitation campaigns targeting CVE-2026-22740. However, it's crucial to monitor security advisories and threat intelligence for any changes.
Where can I find the official Spring Framework advisory for CVE-2026-22740?
Refer to the official Spring Framework security advisory for CVE-2026-22740 on the Spring Security website: [https://spring.io/security/cve-2026-22740](https://spring.io/security/cve-2026-22740)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Scan your Java / Maven project now — no account
Upload your pom.xml and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...