PatchSiren cyber security CVE debrief
CVE-2026-41855 Spring CVE debrief
CVE-2026-41855 is a high-severity vulnerability affecting Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. The vulnerability is caused by the `MappingJackson2MessageConverter` and `JacksonJsonMessageConverter` classes in the `org.springframework.jms.support.converter` package, which allow arbitrary class instantiation in untrusted JMS environments. This can lead to unauthorized actions via gadget class deserialization.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of affected Spring Framework versions should be concerned about this vulnerability, as it can be exploited in untrusted JMS environments.
Technical summary
The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. It is caused by the deserialization of gadget classes in untrusted JMS environments, which can lead to unauthorized actions.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Framework.
- Use a trusted JMS environment to prevent exploitation.
- Implement additional security measures to prevent gadget class deserialization.
Evidence notes
The CVE record and NVD detail pages provide additional information about the vulnerability.
Official resources
-
CVE-2026-41855 CVE record
CVE.org
-
CVE-2026-41855 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41855 was published on 2026-06-09T05:16:37.770Z and modified on 2026-06-09T13:49:39.993Z.