PatchSiren cyber security CVE debrief
CVE-2026-41852 Spring CVE debrief
CVE-2026-41852 is a vulnerability in the Spring Expression Language (SpEL) evaluation logic. This vulnerability allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts. This could potentially allow an attacker to invoke unintended application logic. The affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 should be aware of this vulnerability.
Technical summary
The vulnerability has a CVSS score of 3.7 and is considered LOW severity. It is described as allowing arbitrary zero-argument method invocation due to a flaw in the SpEL evaluation logic. This could potentially be exploited to invoke unintended application logic.
Defensive priority
This vulnerability has a relatively low CVSS score of 3.7, indicating a lower severity. However, users of affected Spring Framework versions should still prioritize patching.
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Framework.
- Refer to [ref-4] for vendor advisory and mitigation details.
Evidence notes
Evidence from [nvd] and [cve-org] confirms the vulnerability details and affected versions.
Official resources
-
CVE-2026-41852 CVE record
CVE.org
-
CVE-2026-41852 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41852 was published on 2026-06-09T05:16:37.407Z and modified on 2026-06-11T15:43:23.130Z.