View all Vulnerabilities

CVE-2026-41850

Denial of Service
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing core dependency injection, data access, web, and integration support that underpins most of the Spring ecosystem. One of its building blocks is the Spring Expression Language (SpEL), shipped in the spring-expression module, which lets applications parse and evaluate expression strings at runtime to read and write object graphs, invoke methods, build collections, and perform arithmetic. Applications use SpEL directly through SpelExpressionParser and Expression.getValue(...), and indirectly through many Spring features that accept SpEL strings.

A high-severity vulnerability (CVE-2026-41850) has been identified in SpEL expression evaluation. Applications that evaluate user-supplied SpEL expressions are vulnerable to an algorithmic Denial of Service: a short, syntactically valid expression can drive evaluation-time work that grows disproportionately to the size of the expression text, exhausting CPU and memory and degrading or halting availability. The issue only affects applications that evaluate attacker-influenced SpEL; applications that evaluate only static, developer-authored expressions are not exposed.

Per OWASP, a Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed; there are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resource-handling vulnerabilities, among others. This vulnerability is the resource-handling variant: a crafted expression forces the evaluator to perform an outsized amount of work, consuming the resources that legitimate requests depend on.

The CVSS v3.1 base score vector for this vulnerability is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (High). The attack vector is Network because the malicious expression can arrive over a normal application request, attack complexity is Low because a single crafted expression is sufficient, and no privileges or user interaction are required. The impact is Availability-only and High: the evaluation path consumes resources but does not disclose or modify data, so there is no confidentiality or integrity impact. This is classified under CWE-770 (Allocation of Resources Without Limits or Throttling).

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7.

Details

Module Info

Vulnerability Info

The vulnerability lives in the SpEL evaluation engine in the spring-expression module. When SpEL evaluates a parsed expression, it walks an abstract syntax tree (AST) of nodes such as inline lists and maps (InlineList, InlineMap), indexers (Indexer), arithmetic and comparison operators (OpPlus, OpMultiply, OpMinus, and the comparison/logical operators), method, constructor, function, and bean references, and assignment/increment/decrement nodes. Each node performs its work and recurses into its children to produce a result.

Prior to the fix, evaluation had no cap on the total number of operations it would perform. The existing guards from CVE-2023-20863 bound only sizes, expression text (maximumExpressionLength, default 10000 characters) and any single concatenated string (100000 characters), not evaluation-time work. Nested inline collections, unbounded repetition of bounded-size concatenations, and operands that grow as evaluation proceeds let a short expression that passes every size check consume CPU and memory far out of proportion to its size, starving legitimate requests.

Pre-fix, an AST node such as InlineList constructed its result by evaluating every child with no per-operation accounting:

List<Object> returnValue = new ArrayList<>(childCount);for (int c = 0; c < childCount; c++) {    returnValue.add(getChild(c).getValue(expressionState));}

The fix counts operations during evaluation and throws a SpelEvaluationException past a cap of 10000 operations by default, configurable per parser via SpelParserConfiguration or globally via spring.expression.maxOperations. Well-behaved expressions stay far below the threshold and are unaffected.

Mitigation

Only recent versions of Spring Framework receive community support and updates. The 6.1.x and 5.3.x lines are out of OSS support and have no publicly available OSS fix for this vulnerability; their upstream fixes are available only through commercial maintenance, and older lines such as 4.3.x have no public fix at all.

This issue is exploitable only where an application evaluates attacker-influenced SpEL expressions. Applications that evaluate only static, developer-authored expressions are not exposed, and reviewing where untrusted input reaches SpEL evaluation is a useful first step.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework. The OSS fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line). On a fixed version, the evaluation-time operation limit can be tuned with the spring.expression.maxOperations property if an application's legitimate expressions need a higher or lower bound.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework, which provides the fix for the 4.3.x, 5.3.x, and 6.1.x lines.

Credits

  • @wo1enca1ca1 (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41850
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Denial of Service
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.