View all Vulnerabilities

CVE-2026-41847

Authorization Bypass
Affects
Spring Framework
in
Spring
No items found.
Versions
>=5.3.0 <=5.3.48
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing the core dependency-injection container as well as the web stacks that most Java server applications are built on. One of those stacks is Spring WebFlux, the reactive, non-blocking web framework, which offers a functional routing model in addition to annotated controllers. For Kotlin users, WebFlux ships a Kotlin Router DSL (router { ... } in org.springframework.web.reactive.function.server) that lets developers declare routes and cross-cutting filter blocks in idiomatic Kotlin. Filters in this DSL are the natural place to implement security concerns: authenticating a request, attaching a resolved principal, wrapping the ServerRequest, or sanitizing headers before the request reaches a handler.

A medium-severity vulnerability (CVE-2026-41847) has been identified in the reactive Kotlin Router DSL filter extension. When a filter passes a modified ServerRequest to the downstream handler (for example a wrapped request carrying an authenticated principal or sanitized headers), the DSL discards that modified request and invokes the handler with the original, unmodified request instead. Any security-relevant change a filter makes to the request is silently dropped, so a downstream handler that relies on the filter having enriched or sanitized the request receives the request exactly as the client sent it. In an application that uses a Kotlin DSL filter to enforce or shape security state on the request, this allows that enforcement to be bypassed.

Per OWASP, access control enforces policy such that users cannot act outside of their intended permissions, and failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing a business function outside the user's limits. A filter whose request modifications never reach the handler is exactly such a failure: the access-control decision the filter intended to impose is not the decision the handler actually sees.

This issue affects Spring Framework >=5.3.0 <=5.3.48.

Details

Module Info

Vulnerability Info

The vulnerability is in the filter extension of the reactive Kotlin Router DSL, defined in RouterFunctionDsl in the spring-webflux module (org.springframework.web.reactive.function.server). The DSL exposes filter so that a Kotlin application can register a function over every route built by the router. The filter function is handed the incoming ServerRequest and a continuation it can call to invoke the rest of the chain, and it is expected to be able to pass a modified request into that continuation.

Pre-fix, the DSL wired the continuation incorrectly. The inner lambda ignored the request the filter forwarded and instead re-used the request captured from the enclosing scope:

fun filter(filterFunction: (ServerRequest, (ServerRequest) -> Mono<ServerResponse>) -> Mono<ServerResponse>) {
    builder.filter { request, next ->
        filterFunction(request) {
            next.handle(request)
        }
    }
}

The lambda parameter passed by the filter (available as it) is the request the filter wants the handler to process. By calling next.handle(request) rather than next.handle(it), the DSL always handed the underlying HandlerFunction the original request. Any wrapping or mutation a filter performed (for example replacing the principal, decorating headers, or substituting a ServerRequest wrapper) was therefore discarded, and the handler executed against the unmodified client request. When the filter is performing a security function, the security state it established does not reach the handler, and the protection can be bypassed.

The defect was introduced in Spring Framework 5.2.0, where the filter extension was added to the Kotlin Router DSL (the function is documented @since 5.2). It was carried unchanged through the entire 5.2.x and 5.3.x lines. The advisory's stated range floor of 5.3.0 reflects Spring's currently-supported scope; the older 5.2.x line is also affected. The coroutine variant of the DSL (CoRouterFunctionDsl.filter, used by coRouter { ... }) is not affected: it already forwards the filter's request argument to the handler.

Steps To Reproduce

1. Create a Spring WebFlux application (Spring Framework 5.3.x) and define routes with the Kotlin Router DSL, using a filter block that wraps the incoming request to attach security state. For example, wrap the ServerRequest so it exposes an authenticated principal:

   class AuthenticatingRequest(
       delegate: ServerRequest,
       private val authenticated: Principal
   ) : ServerRequest by delegate {
       override fun principal(): Mono<Principal> = Mono.just(authenticated)
   }

   val routes = router {
       GET("/whoami") { request ->
           request.principal()
               .map { ServerResponse.ok().bodyValue("user=${it.name}") }
               .flatMap { it }
               .switchIfEmpty(ServerResponse.status(401).build())
       }
       filter { request, next ->
           val enriched = AuthenticatingRequest(request, NamedPrincipal("alice"))
           next(enriched)
       }
   }


2. Send a request to GET /whoami.

3. Observe the response. On an affected version the handler sees the original request, so request.principal() is empty and the endpoint returns 401, even though the filter forwarded an enriched request carrying the alice principal. The request modification made by the filter never reached the handler.

4. Repeat against a fixed build (Spring Framework 6.0.0, or a HeroDevs NES build). The handler now receives the request the filter forwarded, request.principal() resolves to alice, and the endpoint returns user=alice. This demonstrates that on affected versions a security modification applied in a Kotlin DSL filter is silently dropped.

Mitigation

Only recent versions of Spring Framework receive community support and updates. The 5.2.x and 5.3.x lines are End-of-Life for open-source support, and no public OSS release of those lines contains a fix for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework. The fix is present in the OSS 6.0.0 release and all later 6.x releases.
  • As an interim measure on an affected deployment, do not rely on the reactive Kotlin Router DSL filter block to apply security-relevant request modifications. Implement such concerns with a mechanism that propagates correctly on the affected version, for example a WebFilter registered on the reactive web chain, or the coroutine coRouter DSL whose filter forwards the modified request correctly.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41847
PROJECT Affected
Spring Framework
Versions Affected
>=5.3.0 <=5.3.48
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.