CVE-2026-22740 MEDIUM

CVE-2026-22740: Spring Framework DoS with Multipart Temp Files in WebFlux

Vendor Vmware
Product Spring Framework
Weakness CWE-400
Published April 29, 2026
Last update April 29, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 29, 2026 Record updated