Skip to main content

Spring Framework EUVD-2026-35344

| CVE-2026-41855 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-09 vmware GHSA-x863-p983-p4f7
Deserialization Java
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:06 vuln.today

DescriptionNVD

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Articles & Coverage 1

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026

AnalysisAI

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) allows remote attackers to instantiate arbitrary classes when applications process messages from an untrusted JMS broker, enabling gadget-chain exploitation that can result in code execution or other unauthorized actions. The flaw affects Spring Framework 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, and 7.0.0-7.0.7. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring app consuming untrusted JMS
Delivery
Gain publish access to consumed destination
Exploit
Craft JSON message with gadget class type header
Execution
Application deserializes via Jackson JMS converter
Persist
Gadget chain triggers on instantiation
Impact
Achieve code execution or unauthorized action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target application to use either MappingJackson2MessageConverter or JacksonJsonMessageConverter in the spring-jms module to deserialize incoming messages, (2) the application to consume from an 'untrusted JMS environment' - meaning a broker, queue, or topic where the attacker can inject or modify messages (shared multi-tenant broker, externally exposed listener, or compromised upstream producer), and (3) a usable gadget class present on the application classpath that can be reached via arbitrary instantiation to achieve attacker-meaningful impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects unauthenticated network reachability against the JMS consumer with high impact across CIA, but with high attack complexity because exploitation depends on the victim consuming messages from a broker the attacker controls or can poison, plus the presence of an exploitable gadget class on the classpath. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can publish JMS messages to a queue or topic that a Spring application consumes - for example via a shared broker, a misconfigured public listener, or a compromised producer - crafts a JSON payload with a type header pointing to a gadget class present on the consumer's classpath. When the MappingJackson2MessageConverter or JacksonJsonMessageConverter deserializes the message, the gadget chain executes during object construction, yielding code execution or other unauthorized actions in the Spring application's process. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-41855; upgrade to the fixed maintenance release in your branch (above 5.3.48, 6.1.27, 6.2.18, or 7.0.7 respectively) by consulting that advisory for the exact patched version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all applications using Spring Framework versions 5.3.0-5.3.48, 6.1.0-6.1.27, 6.2.0-6.2.18, or 7.0.0-7.0.7 with JMS enabled; document affected systems and business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin

Share

EUVD-2026-35344 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy