View all Vulnerabilities

CVE-2026-41862

Content Spoofing
Affects
Spring Statemachine
in
Spring
No items found.
Versions
>=3.2.0 <=3.2.4, >=4.0.0 <=4.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Statemachine is a framework for building state machine applications on top of Spring, providing support for hierarchical and regional states, transitions, and the persistence of a running machine's context to external stores such as a relational database, MongoDB, Redis, or ZooKeeper.

A high-severity vulnerability (CVE-2026-41862) has been identified in Spring Statemachine. Its Kryo-based persistence backends (JPA, MongoDB, Redis, and ZooKeeper) deserialize a persisted StateMachineContext without enabling Kryo's registration requirement, so no class allowlist is enforced on read. An attacker who can write to the persistence store can supply crafted serialized bytes that name arbitrary classes, which Kryo will instantiate during deserialization, leading to remote code execution inside the application JVM.

Per OWASP, deserialization of untrusted data occurs when an application reconstructs objects from attacker-controllable serialized input without restricting which types may be instantiated, enabling object-injection and gadget-chain attacks that can culminate in remote code execution.

This issue affects versions >=3.2.0 <=3.2.4 and >=4.0.0 <=4.0.1 of Spring Statemachine.

Details

Module Info

Vulnerability Info

Spring Statemachine persists a running machine's StateMachineContext by serializing it with Kryo and writing the resulting bytes to the configured backend. Each backend constructs its Kryo instance the same way, installing custom serializers for the framework types but never enabling registration enforcement:

Kryo kryo = new Kryo();
kryo.addDefaultSerializer(StateMachineContext.class, new StateMachineContextSerializer());
kryo.addDefaultSerializer(MessageHeaders.class, new MessageHeadersSerializer());
kryo.addDefaultSerializer(UUID.class, new UUIDSerializer());

Because Kryo.setRegistrationRequired(true) is never called, Kryo falls back to its default behavior of resolving classes by the class name embedded in the input stream. On read, Kryo will load and instantiate whatever class the serialized bytes name. An attacker who controls the persisted context, such as the JPA row, the MongoDB document, the Redis value, or the ZooKeeper znode that stores the serialized context, can therefore craft an object graph that references gadget classes present on the application classpath. When the application loads that context (for example by restoring a state machine on startup or per request), Kryo instantiates the attacker-chosen types, which can be driven to execute arbitrary code within the application JVM.

Exploitation requires the attacker to be able to write into the persistence backend used by the state machine, consistent with the advisory's low-privilege attack vector. The same unguarded configuration is present in the Redis (RedisStateMachineContextRepository), ZooKeeper (ZookeeperStateMachinePersist), and JPA/MongoDB backends, the latter two through KryoStateMachineSerialisationService.

The remediation introduces a KryoStateMachineSerialisationDefaults helper that calls kryo.setRegistrationRequired(true) and registers an explicit allowlist of framework and JDK types. With registration required, Kryo identifies classes by a registered numeric id rather than by class name, and any type that is not on the allowlist is rejected on read. Applications that persist custom state or event types must now register those types explicitly through a new Consumer<Kryo> customizer accepted by each backend. This is a behavior change: contexts written by older releases cannot be read by the fixed version, so the persistence backend must be drained or migrated during the upgrade.

This vulnerability was introduced in 2015 with Spring Statemachine 1.0.

Mitigation

Spring Statemachine versions in the affected range are End-of-Life from a community-support standpoint, and the 3.2.x line has no publicly available open-source fix; see the Spring Statemachine support policy at https://spring.io/projects/spring-statemachine#support.

Do not attempt to self-patch the Kryo configuration; the corrected behavior depends on a consistent allowlist applied across every persistence backend together with an application-supplied registration hook, and partial fixes leave deserialization paths open.

Recommended actions:

  1. Upgrade to a supported, fixed version of Spring Statemachine (4.0.2 or later).
  2. For applications that must remain on an End-of-Life line, HeroDevs Never-Ending Support (NES) provides a drop-in patched build of Spring Statemachine that closes this vulnerability. A fix for the NES 3.2.x line is available. Learn more about HeroDevs Never-Ending Support for Spring Statemachine and request coverage at https://www.herodevs.com/support/spring-nes

Credits

  • This issue was discovered internally by the Spring Statemachine team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41862
PROJECT Affected
Spring Statemachine
Versions Affected
>=3.2.0 <=3.2.4, >=4.0.0 <=4.0.1
NES Versions Affected
Published date
June 15, 2026
≈ Fix date
June 15, 2026
Fixed in
NES for Spring
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.