{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22740", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.675Z", "datePublished": "2026-04-29T10:46:15.633Z", "dateUpdated": "2026-04-29T14:00:50.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-29T14:00:50.573Z"}, "title": "Spring Framework DoS with Multipart Temp Files in WebFlux", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "type": "CWE"}]}], "affected": [{"vendor": "VMware", "product": "Spring Framework", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.7", "versionType": "semver"}, {"status": "affected", "version": "6.2.0", "lessThan": "6.2.18", "versionType": "semver"}, {"status": "affected", "version": "6.1.0", "lessThan": "6.1.27", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.48", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.\n\nOlder, unsupported versions are also affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.</p><p>Older, unsupported versions are also affected.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22740"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T11:55:51.268118Z", "id": "CVE-2026-22740", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T11:58:39.725Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22740", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-29T11:55:51.268118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T11:56:11.419Z"}}], "cna": {"title": "Spring Framework DoS with Multipart Temp Files in WebFlux", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring Framework", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.7", "versionType": "semver"}, {"status": "affected", "version": "6.2.0", "lessThan": "6.2.18", "versionType": "semver"}, {"status": "affected", "version": "6.1.0", "lessThan": "6.1.27", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.48", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://spring.io/security/cve-2026-22740"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.\n\nOlder, unsupported versions are also affected.", "supportingMedia": [{"type": "text/html", "value": "<p>A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.</p><p>Older, unsupported versions are also affected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-29T14:00:50.573Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22740", "state": "PUBLISHED", "dateUpdated": "2026-04-29T14:00:50.573Z", "dateReserved": "2026-01-09T06:54:49.675Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-29T10:46:15.633Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "23C9BFA0-DDE5-4E6D-A9E0-ECC236913DF3", "versionEndExcluding": "5.3.48", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "FC58C148-219F-4868-B9F0-E0AF4435EF79", "versionEndExcluding": "6.1.27", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "F317C66F-752D-40A9-AECF-5D1E51368AFE", "versionEndExcluding": "6.2.18", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "78C5C95C-1A83-40E7-8C73-D5965E20BD06", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.\n\nOlder, unsupported versions are also affected."}], "id": "CVE-2026-22740", "lastModified": "2026-05-04T14:51:28.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-29T12:16:18.333", "references": [{"source": "security@vmware.com", "tags": ["US Government Resource"], "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1"}, {"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22740"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "spring-webflux: Spring WebFlux: Denial of Service via temporary file accumulation", "id": "2463786", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463786"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-459", "details": ["A flaw was found in Spring WebFlux, a component of the Spring Framework. A remote attacker can exploit this vulnerability by sending specially crafted multipart requests to a WebFlux server application. When processing these requests, the server creates temporary files that, under certain conditions, are not properly deleted. This can lead to an accumulation of temporary files, consuming available disk space and potentially causing a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-22740", "package_state": [{"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "spring-webflux", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Out of support scope", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "opentelemetry-javaagent-spring-webflux-5.0", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "opentelemetry-spring-webflux-5.3", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Out of support scope", "package_name": "opentelemetry-javaagent-spring-webflux-5.0", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "opentelemetry-spring-webflux-5.3", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "spring-webflux", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-29T10:46:15Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22740\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22740\nhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1\nhttps://spring.io/security/cve-2026-22740"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.2.0,6.2.18)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,6.1.27)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.48)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring Framework", "source": "cna", "vendor": "VMware"}, "product": "spring_framework", "vendor": "vmware"}], "created": "2026-04-29T12:30:10.716922+00:00", "updated": "2026-05-06T01:30:15.887231+00:00", "vendors": ["vmware", "vmware$PRODUCT$spring_framework"]}