Skip to main content

Spring Framework CVE-2026-41852

| EUVD-2026-35340 LOW
Incorrect Authorization (CWE-863)
2026-06-09 vmware GHSA-9f52-rjqv-25qv
Authentication Bypass Java
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:22 vuln.today

DescriptionNVD

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

AnalysisAI

Spring Expression Language (SpEL) evaluation logic in Spring Framework 5.3.x through 7.0.x fails to enforce method invocation restrictions in read-only or restricted contexts, allowing remote unauthenticated attackers (CVSS PR:N, AV:N) to invoke arbitrary zero-argument methods and trigger unintended application logic. Scored LOW (3.7) with only availability impact per CVSS (A:L), though the 'Authentication Bypass' tag and CWE-863 (Incorrect Authorization) suggest the authorization bypass itself may have broader implications not fully reflected in the score. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SpEL evaluation endpoint accepting external input
Delivery
Fingerprint Spring Framework version and expression context type
Exploit
Craft payload invoking zero-argument method
Execution
Submit via unauthenticated network request (AV:N, PR:N)
Persist
Bypass restricted-context enforcement (CWE-863)
Impact
Invoke unintended application logic causing availability impact
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application (1) uses Spring Framework's SpEL evaluation engine, (2) evaluates expressions that are influenced by attacker-controlled or externally sourced input, and (3) relies on a restricted or read-only SpEL context (e.g., SimpleEvaluationContext) as a security boundary to prevent method invocation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.7 LOW (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects a real-world risk that is constrained by high attack complexity (AC:H) and limited impact scope (availability only, no confidentiality or integrity). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an application endpoint that evaluates SpEL expressions derived from user-supplied input (such as a query filter, configuration value, or data-binding expression) and relies on a restricted SpEL context for safety. The attacker crafts a payload invoking a zero-argument method available on an accessible object in the expression context - such as a method that triggers a state change, logs data, or forces garbage collection - and submits it via a standard HTTP request. …
Remediation Upgrade Spring Framework to the first version beyond each affected range: 7.0.8 or later for the 7.0.x train, 6.2.19 or later for the 6.2.x train, 6.1.28 or later for the 6.1.x train, and 5.3.49 or later for the 5.3.x train - however, these exact patch versions are inferred from the stated affected ranges and are not independently confirmed from the available input data; consult the vendor advisory at https://spring.io/security/cve-2026-41852 for the definitive fixed releases. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41852 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy