PatchSiren cyber security CVE debrief
CVE-2026-41862 Spring CVE debrief
CVE-2026-41862 is a remote code execution vulnerability in Spring Statemachine's Kryo-based persistence backends, including JPA, MongoDB, Redis, and ZooKeeper. The vulnerability occurs because these backends deserialise persisted state-machine contexts without enforcing a class allowlist, which can lead to remote code execution inside the application JVM. Affected versions are Spring Statemachine 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4. The CVSS score for this vulnerability is 8.8, indicating a high severity. The CVE was published on 2026-06-23T21:16:57.820Z and modified on 2026-06-25T19:10:00.050Z.
- Vendor
- Spring
- Product
- Spring Statemachine
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-25
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-25
Who should care
Developers and administrators using Spring Statemachine versions 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4 should be aware of this vulnerability and take steps to mitigate it. This vulnerability can be exploited remotely, and the high CVSS score indicates that it can have a significant impact on the affected systems. Therefore, it is essential to apply the necessary patches or updates to prevent exploitation.
Technical summary
The vulnerability in Spring Statemachine's Kryo-based persistence backends allows for remote code execution due to the deserialisation of persisted state-machine contexts without a class allowlist. This is a CWE-502 vulnerability, which is related to the deserialisation of untrusted data. The affected versions of Spring Statemachine are 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low privileges and can have a high impact on confidentiality, integrity, and availability.
Defensive priority
High priority should be given to patching or updating Spring Statemachine versions 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4 to prevent exploitation of this vulnerability. Developers and administrators should also consider implementing additional security measures, such as validating and sanitising input data, to reduce the risk of exploitation.
Recommended defensive actions
- Apply patches or updates to Spring Statemachine versions 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4
- Implement additional security measures, such as validating and sanitising input data
- Monitor systems for suspicious activity
- Consider using a web application firewall to detect and prevent exploitation
- Keep software and dependencies up-to-date
Evidence notes
The CVE-2026-41862 vulnerability was published on 2026-06-23T21:16:57.820Z and modified on 2026-06-25T19:10:00.050Z. The CVSS score for this vulnerability is 8.8, indicating a high severity. The vulnerability is related to CWE-502, which is the deserialisation of untrusted data. The affected versions of Spring Statemachine are 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4.
Official resources
-
CVE-2026-41862 CVE record
CVE.org
-
CVE-2026-41862 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.