Skip to main content

Spring Web Flow CVE-2026-40985

| EUVDEUVD-2026-36200 MEDIUM
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-06-11 vmware GHSA-9ggw-87m9-9gfc
6.4
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
6.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
6.4 MEDIUM

Non-default WebFlowELExpressionParser configuration drives AC:H; authenticated low-privilege access and required user interaction are independently confirmed by CVSS PR:L and UI:R; no availability impact per description.

3.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 06:01 EUVD
Analysis Generated
Jun 11, 2026 - 05:26 vuln.today

DescriptionCVE.org

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.

Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

AnalysisAI

Expression Language Injection in Spring Web Flow exposes applications explicitly configured with WebFlowELExpressionParser to evaluation of malicious Unified EL expressions submitted by authenticated low-privilege users. Affected versions span the 2.5.x, 3.0.x, and 4.0.0 release lines; exploitation requires both non-default configuration and user interaction, which meaningfully constrains real-world risk despite the High confidentiality and integrity impact ratings. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

Spring Web Flow (cpe:2.3:a:spring:spring_web_flow:*:*:*:*:*:*:*:*) is a Java framework built on Spring MVC that manages stateful, multi-step web application flows. The WebFlowELExpressionParser is an optional component that integrates the Java Unified Expression Language (EL) engine to evaluate expressions during flow execution - used for binding, validation, navigation decisions, and model access. CWE-917 (Expression Language Injection) describes the root cause: user-controlled input reaches an EL evaluator without adequate sanitization, allowing an attacker-supplied string to be interpreted as executable EL rather than literal data. This class of vulnerability is historically significant in the Spring ecosystem (cf. Spring Framework EL injection issues) and can expose server-side object graphs, invoke arbitrary Java methods available on the EL context, or alter application state depending on what objects are bound to the EL context at the time of evaluation.

RemediationAI

Consult the vendor advisory at https://spring.io/security/cve-2026-40985 for the exact patched release versions, as specific fix version numbers were not included in the available intelligence data and should not be inferred. The primary fix is upgrading to a patched release of Spring Web Flow once published by VMware/Broadcom. As an immediate compensating control, teams that do not require Unified EL expression evaluation should remove or replace the WebFlowELExpressionParser configuration - this eliminates the vulnerable code path entirely and carries minimal functional impact for applications not relying on this parser. Applications that must retain EL expression evaluation should enforce strict input validation and allowlisting on any user-supplied strings that could enter the EL evaluation context, and should restrict access to affected flow endpoints to authenticated, trusted users where possible. The UI:R requirement suggests that restricting who can trigger the relevant flow transitions may further limit exposure.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-40985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy