Spring Security Advisories

RSS feed

CVE-2026-41847: Spring Framework Security Filter Bypass in WebFlux Kotlin Router DSL

MEDIUM | JUNE 08, 2026 | CVE-2026-41847

Description

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL.

More precisely, an application can be vulnerable when all the following are true:

  • The application uses Spring WebFlux.
  • The application uses the Kotlin Router DSL.
  • The application uses a filter that passes a modified or replaced ServerRequest (for example, via ServerRequestWrapper) to the next handler function in order to apply security-related concerns.

When all the conditions above are met, any security-related modifications applied to the ServerRequest by the filter are silently discarded. The downstream handler receives the original, unmodified request instead of the modified one, causing the security enrichment to have no effect.

Affected Spring Products and Versions

Spring Framework:

  • 5.3.0 - 5.3.48

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
5.3.x 5.3.49 Commercial

No further mitigation steps are necessary.

Credit

This issue was discovered internally.

References

History

  • 2026-06-08: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all