How to Fix CVE-2026-22741: Spring Framework (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-22741 is a sibling vulnerability in the same vendor advisory as CVE-2026-22740. Applying the patched build named in the primary write-up closes this CVE as well.

What's different about CVE-2026-22741?

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

* the application is using Spring MVC or Spring WebFlux

* the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-22741

Apply the patched build per the primary write-up: How to Fix CVE-2026-22740.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-22741 fixed by the same patch as CVE-2026-22740?

Yes. CVE-2026-22741 ships in the same vendor advisory as CVE-2026-22740. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-22741?

The CVSS base score is 3.1 (Low).

Is it being exploited?

It is not currently listed in CISA KEV.

References

• Official vendor advisory: https://spring.io/security/cve-2026-22741
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-22741
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary write-up: How to Fix CVE-2026-22740

*Part of the Spring Framework bundle. Full procedure at CVE-2026-22740.*