This vulnerability (CVE-2026-41843) in the Spring Framework arises from improper restriction of pathnames when resolving static resources in Spring MVC and WebFlux applications. It allows an attacker to perform path traversal attacks, potentially accessing sensitive files outside the intended directories. The affected versions span multiple major releases of the Spring Framework, specifically 5.3.0 to 5.3.48, 6.1.0 to 6.1.27, 6.2.0 to 6.2.18, and 7.0.0 to 7.0.7. The CVSS 3.1 base score is 5.9, indicating medium severity, with the attack requiring network access but high complexity and no privileges or user interaction. No official fix or patch is currently documented, and no exploits are known in the wild at this time.

Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server by bypassing directory restrictions when accessing static resources. This could lead to disclosure of sensitive information. The CVSS vector indicates no impact on integrity or availability, only confidentiality is affected. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to static resource endpoints, validating and sanitizing resource paths, and applying any recommended configuration changes from the vendor. Monitor Spring Framework advisories for updates and patches addressing this vulnerability.