CVE-2026-22745

EUVD-2026-26207

29.04.2026, 12:16

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.


More precisely, an application can be vulnerable when all the following are true:

  *  the application is using Spring MVC or Spring WebFlux
  *  the application is serving static resources from the file system
  *  the application is running on a Windows platform


When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
vmware	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
vmware	spring	7.0.0 ≤ 𝑥 < 7.0.7	CNA
vmware	spring	6.2.0 ≤ 𝑥 < 6.2.18	CNA
vmware	spring	6.1.0 ≤ 𝑥 < 6.1.27	CNA
vmware	spring	5.3.0 ≤ 𝑥 < 5.3.48	CNA

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&version=3.1

https://spring.io/security/cve-2026-22745