View all Vulnerabilities

CVE-2026-41855

Remote Code Execution
Affects
Spring Framework
in
Spring
No items found.
Versions
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing dependency injection, data access, transaction management, and integration support for messaging systems. Its spring-jms module bundles MappingJackson2MessageConverter, a JMS MessageConverter that uses Jackson to serialize outbound objects to JSON and to deserialize inbound JMS messages back into Java objects. To know which Java type an inbound message should be deserialized into, the converter reads a type identifier from a configurable JMS message header (the typeIdPropertyName property) and resolves it to a class.

A high-severity vulnerability (CVE-2026-41855) has been identified in that converter and in its Jackson 3 successor JacksonJsonMessageConverter. The type identifier read from the inbound message header is loaded as a class and used as the Jackson deserialization target without any allow-list restriction. An attacker who can place a message on a JMS destination that the application consumes can therefore set the type-id header to an arbitrary class name, causing the converter to instantiate and populate that class. In an untrusted JMS environment this enables arbitrary class instantiation and gadget-class deserialization, which can lead to unauthorized actions up to remote code execution depending on the gadget classes present on the consumer's classpath.

Per OWASP, deserialization is the process of taking data structured in some format and rebuilding it into an object, and insecure deserialization can lead to remote code execution; even where it does not result in remote code execution, it can be used to perform replay attacks, injection attacks, and privilege-escalation attacks. Here the untrusted data is the inbound JMS message: the type-id header chooses the class that Jackson instantiates, so an attacker who controls messages on a consumed destination controls the deserialization target.

The CVSS v3.1 vector for this vulnerability is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (High). The attack vector is Network and no privileges or user interaction are required, because the attacker only needs to publish a crafted message to a JMS destination the application consumes. Attack complexity is High because successful exploitation depends on a usable gadget class being present on the consumer's classpath. The impact is High across confidentiality, integrity, and availability, reflecting that gadget-class deserialization can result in full compromise of the consuming application.

This issue affects Spring Framework >=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7.

Details

Module Info

Vulnerability Info

The vulnerability is in MappingJackson2MessageConverter in the spring-jms module, specifically in the getJavaTypeForMessage(Message) method that runs whenever the converter deserializes an inbound JMS message. The method reads a type identifier from the message header named by typeIdPropertyName, and if that identifier does not match an explicitly configured idClassMappings entry, it loads the named class directly with ClassUtils.forName(typeId, ...) and hands it to Jackson as the deserialization target.

Pre-fix, the type-id header value flows unrestricted from the inbound message into class loading and deserialization:

protected JavaType getJavaTypeForMessage(Message message) throws JMSException {
    String typeId = message.getStringProperty(this.typeIdPropertyName);
    if (typeId == null) {
        throw new MessageConversionException(
                "Could not find type id property [" + this.typeIdPropertyName + "] on message [" +
                message.getJMSMessageID() + "] from destination [" + message.getJMSDestination() + "]");
    }
    Class<?> mappedClass = this.idClassMappings.get(typeId);
    if (mappedClass != null) {
        return this.objectMapper.constructType(mappedClass);
    }
    try {
        Class<?> typeClass = ClassUtils.forName(typeId, this.beanClassLoader);
        return this.objectMapper.constructType(typeClass);
    }
    catch (Throwable ex) {
        throw new MessageConversionException("Failed to resolve type id [" + typeId + "]", ex);
    }
}


typeId is taken verbatim from message.getStringProperty(this.typeIdPropertyName), an attacker-controllable JMS message header. When it does not match a configured mapping it is passed straight to ClassUtils.forName(typeId, this.beanClassLoader) and then to objectMapper.constructType(...), so the sender of the message chooses which class Jackson instantiates and populates. If a viable gadget class is on the consumer's classpath, this becomes a deserialization gadget chain and can escalate to remote code execution. Because the converter is a standard component wired into JMS listeners, any application that consumes JSON-over-JMS messages from a destination an attacker can write to is exposed.

Mitigation

Only recent versions of Spring Framework receive community support and updates. Older versions, including the 4.3.x, 5.3.x, and 6.1.x lines, have no publicly available open-source fix for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported open-source version of Spring Framework that contains the fix. The OSS fix ships in Spring Framework 6.2.19 (6.2.x line) and 7.0.8 (7.0.x line).
  • After upgrading, in any untrusted JMS environment call setTrustedPackages(...) on the Jackson JMS converter to restrict deserialization to the packages the application legitimately exchanges. The fix is opt-in hardening and does not restrict deserialization until trusted packages are configured.
  • As an interim hardening step on a vulnerable deployment, ensure the JMS destinations the application consumes cannot be written to by untrusted producers, and prefer explicit setTypeIdMappings(...) allow-listing of the exact classes exchanged rather than open class resolution from the type-id header.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41855
PROJECT Affected
Spring Framework
Versions Affected
>=4.3.0 <=4.3.30, >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Remote Code Execution
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.