Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable persistence backend (AV:N), low complexity once write access exists (AC:L), requires write privilege to the store (PR:L), no user interaction, full RCE impact on JVM.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4
Articles & Coverage 1
AnalysisAI
Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses Spring Statemachine with one of the four Kryo-backed persistence integrations enabled (JPA, MongoDB, Redis, or ZooKeeper) and that the attacker can write a crafted serialized blob into the backing store used to persist StateMachineContext objects. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N gives a base score of 8.8 with full C/I/A impact, indicating network-reachable, low-complexity exploitation that requires only low-privileged access - consistent with an attacker who has any ability to influence the contents of the persistence backend (e.g., authenticated DB/Redis user, a compromised co-tenant, or another application sharing the store). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains low-privileged access to the Redis, MongoDB, JPA database, or ZooKeeper node backing a Spring Statemachine deployment writes a malicious Kryo-serialized blob into the state-machine context key. The next time the target application loads or restores that state machine, Kryo instantiates an attacker-controlled gadget chain and the JVM executes arbitrary code with the privileges of the application process. … |
| Remediation | Patch status: patch available per vendor advisory at https://spring.io/security/cve-2026-41862 - consult the advisory for the exact fixed releases in the 3.2.x and 4.0.x lines and upgrade Spring Statemachine accordingly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production systems running Spring Statemachine 3.2.0-3.2.4 or 4.0.0-4.0.1; cross-reference with application authentication scope to assess attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38596
GHSA-85qj-f5wg-rwp9