PatchSiren cyber security CVE debrief
CVE-2026-41850 Spring CVE debrief
CVE-2026-41850 is a HIGH severity vulnerability in Spring Framework, with a CVSS score of 7.5. Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. The affected versions are Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by the evaluation of user-supplied Spring Expression Language (SpEL) expressions, which can lead to excessive resource consumption and application degradation or unavailability.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Framework.
- Implement measures to restrict user-supplied input to prevent specially crafted expressions from being evaluated.
Evidence notes
The CVE record and NVD detail provide information on the affected versions and CVSS score.
Official resources
-
CVE-2026-41850 CVE record
CVE.org
-
CVE-2026-41850 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41850 was published on 2026-06-09T05:16:37.177Z and modified on 2026-06-09T20:36:09.657Z.