CVE-2026-41847

MEDIUM 4.8

Spring Framework Security Filter Bypass in WebFlux Kotlin Router DSL

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

8th

Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48.

CWE	CWE-284
Vendor	spring
Product	spring framework
Ecosystems	Java Spring
Industries	TechnologyEnterprise
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for spring spring framework

Be the first to know when new medium vulnerabilities affecting spring spring framework are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Spring / Spring Framework

5.3.0 < 5.3.49

References

NVD ↗ CVE.org ↗ EPSS Data ↗

spring.io: https://spring.io/security/cve-2026-41847