View all Vulnerabilities

CVE-2026-41001

Information Exposure
Affects
Spring Boot
in
Spring
No items found.
Versions
>=0.0.0 <2.7.34, >=3.3.0 <3.3.20, >=3.4.0 <3.4.17, >=3.5.0 <3.5.15, >=4.0.0 <4.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Boot is a framework that simplifies building production-ready, stand-alone Java applications on top of the Spring ecosystem, providing auto-configuration, embedded servers, and opinionated defaults. Its JMS auto-configuration can start an embedded Apache Artemis message broker when one is on the classpath.

A medium-severity vulnerability (CVE-2026-41001) has been identified in Spring Boot's embedded Artemis auto-configuration. When no explicit data directory is configured, ArtemisEmbeddedConfigurationFactory derives the broker's data directory from the shared system temporary directory plus the fixed subdirectory name artemis-data, producing a fully predictable path. A local attacker on the same host can pre-create this directory, or plant a symlink in its place, before the application starts. The embedded broker then reads and writes its journal, bindings, and paging data through an attacker-influenced location, which can be used to hijack or tamper with message-queue data, inject messages, or reach deserialization code paths through crafted journal contents.

Per OWASP, an insecure temporary file occurs when an application creates temporary resources at predictable locations that other local users can observe or pre-create, allowing them to read, modify, or hijack the data the application stores there.

This issue affects versions >=0.0.0 <2.7.34, >=3.3.0 <3.3.20, >=3.4.0 <3.4.17, >=3.5.0 <3.5.15, and >=4.0.0 <4.0.7 of Spring Boot.

Details

Module Info

Vulnerability Info

The embedded Artemis broker is configured by ArtemisEmbeddedConfigurationFactory. When the application does not set an explicit data directory, the factory computes one from the JVM system temporary directory and a constant subdirectory name:

private String getDataDir() {
    if (this.properties.getDataDirectory() != null) {
        return this.properties.getDataDirectory();
    }
    String tempDirectory = System.getProperty("java.io.tmpdir");
    return new File(tempDirectory, "artemis-data").getAbsolutePath();
}

Because both the system temporary directory and the artemis-data subdirectory name are predictable and shared across local users, the resulting path can be anticipated by any user on the host. An attacker can create artemis-data ahead of the application, set permissions or ownership in their favor, or replace it with a symlink pointing at a sensitive location. When the broker starts, it stores its journal and bindings under that attacker-controlled directory. Artemis journal records can carry serialized message bodies, so control over this directory enables message tampering, message injection, and deserialization-based attack avenues, in addition to disclosure of queued data.

The remediation routes the default through Spring Boot's ApplicationTemp, which returns an application-specific subdirectory whose name is not predictable to other local users and which is created with restrictive ownership, so the broker's data directory can no longer be pre-created or hijacked by an unprivileged local user.

Mitigation

All affected Spring Boot lines covered by HeroDevs Never-Ending Support are past their open-source end-of-life and several of the affected lines have no publicly available fix; the upstream advisory ships public (OSS) releases only for the still-maintained 4.0.x and 3.5.x lines, while the 3.4.x, 3.3.x, and 2.7.x fixes were not released as public OSS versions.

Recommended actions:

  1. Upgrade to a supported Spring Boot version that contains the fix (Spring Boot 4.0.7 or 3.5.15) where feasible.
  2. For applications that must remain on an end-of-life Spring Boot line, use HeroDevs Never-Ending Support (NES) for Spring Boot, which provides a backported fix for this vulnerability on otherwise unsupported lines.

As an interim configuration-level hardening, set an explicit, securely-permissioned data directory for the embedded broker (the spring.artemis.embedded.data-directory property) so the predictable default path is not used.

Credits

  • Yu Bao from PayPal (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41001
PROJECT Affected
Spring Boot
Versions Affected
>=0.0.0 <2.7.34, >=3.3.0 <3.3.20, >=3.4.0 <3.4.17, >=3.5.0 <3.5.15, >=4.0.0 <4.0.7
NES Versions Affected
Published date
June 15, 2026
≈ Fix date
June 15, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.