CVE-2026-22741: CWE-524 Information Exposure Through Caching in VMware Spring Framework
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
AI Analysis
Technical Summary
Spring MVC and WebFlux applications using Spring Framework versions 5.3.0, 6.1.0, 6.2.0, and 7.0.0 are vulnerable to cache poisoning when resolving static resources if resource chain support with caching and encoded resource resolution is enabled. An attacker can send crafted requests to poison the resource cache with incorrectly encoded resources, potentially causing denial of service by disrupting the front-end application. The vulnerability is classified under CWE-524 (Information Exposure Through Caching). Exploitation requires the cache to be empty at the time of attack and specific application configurations. The CVSS 3.1 base score is 3.1, indicating low severity. There is no vendor advisory or patch available at this time.
Potential Impact
The impact is limited to a potential denial of service condition caused by cache poisoning of static resources, which can break the front-end application for clients. There is no confidentiality or integrity impact reported. No known exploits exist in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, review application configurations related to resource chain caching and encoded resource resolution. Consider disabling caching or encoded resource resolution if feasible to reduce exposure. Monitor vendor communications for updates.
CVE-2026-22741: CWE-524 Information Exposure Through Caching in VMware Spring Framework
Description
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Spring MVC and WebFlux applications using Spring Framework versions 5.3.0, 6.1.0, 6.2.0, and 7.0.0 are vulnerable to cache poisoning when resolving static resources if resource chain support with caching and encoded resource resolution is enabled. An attacker can send crafted requests to poison the resource cache with incorrectly encoded resources, potentially causing denial of service by disrupting the front-end application. The vulnerability is classified under CWE-524 (Information Exposure Through Caching). Exploitation requires the cache to be empty at the time of attack and specific application configurations. The CVSS 3.1 base score is 3.1, indicating low severity. There is no vendor advisory or patch available at this time.
Potential Impact
The impact is limited to a potential denial of service condition caused by cache poisoning of static resources, which can break the front-end application for clients. There is no confidentiality or integrity impact reported. No known exploits exist in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, review application configurations related to resource chain caching and encoded resource resolution. Consider disabling caching or encoded resource resolution if feasible to reduce exposure. Monitor vendor communications for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-01-09T06:54:49.675Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f2b622cbff5d86107b2353
Added to database: 4/30/2026, 1:53:38 AM
Last enriched: 4/30/2026, 1:54:55 AM
Last updated: 4/30/2026, 3:16:36 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.