Bypassed Boundaries: Two New Vulnerabilities Threaten Spring Framework Apps

Security researchers have identified two distinct vulnerabilities within the widely used Spring Framework, affecting both Spring MVC and Spring WebFlux applications. The advisories, covering an improper path limitation flaw and a Server-Sent Event (SSE) stream corruption issue, highlight the ongoing need for robust input validation and up-to-date dependency management in Java-based web environments.

As a foundational element of the modern Java ecosystem, vulnerabilities in Spring can have a broad impact, potentially leading to unauthorized data disclosure or the manipulation of real-time data streams.

The more severe of the two flaws, CVE-2026-22737 (CVSS 5.9), involves an improper path limitation when using script view templates, such as JRuby or Jython. Under specific configurations—namely when an application has a global mapping (/**) that results in view rendering without an explicitly specified view name—attackers can exploit the engine to step outside intended boundaries.

“Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views”.

This bypass effectively allows a malicious actor to read sensitive files from the underlying host system that should otherwise remain inaccessible.

The second advisory, CVE-2026-22735 (CVSS 2.6), describes a scenario leading to the corruption of Server-Sent Event (SSE) streams. This vulnerability is active when an application streams plain text data (rather than a structured format like JSON) and an attacker gains control over the data being streamed to other users.

“When all the conditions above are met, the attacker might corrupt the stream of data sent to other users. Depending on the frontend application logic, this could corrupt state or present malicious information to other users”.

By injecting specialized characters into the plain text stream, an attacker can “break” the protocol’s framing, potentially leading to the display of fraudulent information or the disruption of the client-side application state.

Both vulnerabilities impact multiple generations of the Spring Framework, including the latest 7.0 branch and legacy supported versions:

• Spring Framework 7.0.0 to 7.0.5
• Spring Framework 6.2.0 to 6.2.16
• Spring Framework 6.1.0 to 6.1.25
• Spring Framework 5.3.0 to 5.3.46

Organizations are urged to upgrade to the corresponding fixed versions immediately to secure their environments:

Affected Branch	Required Fix Version	Availability
7.0.x	7.0.6	OSS
6.2.x	6.2.17	OSS
6.1.x	6.1.26	Commercial
5.3.x	5.3.47	Commercial