Skip to main content

Spring Statemachine CVE-2026-41862

| EUVDEUVD-2026-38596 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-23 security@vmware.com GHSA-85qj-f5wg-rwp9
8.8
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable persistence backend (AV:N), low complexity once write access exists (AC:L), requires write privilege to the store (PR:L), no user interaction, full RCE impact on JVM.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 22:02 EUVD
Analysis Generated
Jun 23, 2026 - 21:30 vuln.today
CVE Published
Jun 23, 2026 - 21:16 cve.org
HIGH 8.8

DescriptionCVE.org

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.

Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

AnalysisAI

Remote code execution in Spring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.1 allows authenticated attackers to execute arbitrary code inside the application JVM by injecting malicious serialized Java objects into the Kryo-based persistence backends (JPA, MongoDB, Redis, or ZooKeeper). The flaw stems from deserializing persisted state-machine contexts without enforcing a class allowlist, a classic CWE-502 pattern that has historically yielded reliable gadget-chain exploitation in Java applications. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Spring Statemachine app with Kryo persistence
Delivery
Obtain write access to backing store (Redis/Mongo/JPA/ZK)
Exploit
Craft Kryo-serialized gadget chain payload
Install
Inject payload into StateMachineContext entry
C2
Application deserializes context on load
Execute
JVM executes attacker code
Impact
Establish foothold in application host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses Spring Statemachine with one of the four Kryo-backed persistence integrations enabled (JPA, MongoDB, Redis, or ZooKeeper) and that the attacker can write a crafted serialized blob into the backing store used to persist StateMachineContext objects. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N gives a base score of 8.8 with full C/I/A impact, indicating network-reachable, low-complexity exploitation that requires only low-privileged access - consistent with an attacker who has any ability to influence the contents of the persistence backend (e.g., authenticated DB/Redis user, a compromised co-tenant, or another application sharing the store). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains low-privileged access to the Redis, MongoDB, JPA database, or ZooKeeper node backing a Spring Statemachine deployment writes a malicious Kryo-serialized blob into the state-machine context key. The next time the target application loads or restores that state machine, Kryo instantiates an attacker-controlled gadget chain and the JVM executes arbitrary code with the privileges of the application process. …
Remediation Patch status: patch available per vendor advisory at https://spring.io/security/cve-2026-41862 - consult the advisory for the exact fixed releases in the 3.2.x and 4.0.x lines and upgrade Spring Statemachine accordingly. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production systems running Spring Statemachine 3.2.0-3.2.4 or 4.0.0-4.0.1; cross-reference with application authentication scope to assess attack surface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-41862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy