CVE-2026-41850: Spring Framework SpEL Denial of Service Vulnerability (CVSS 7.5)
Spring Framework contains a vulnerability in how it evaluates user-supplied SpEL (Spring Expression Language) expressions. An attacker can craft a malicious expression that forces the application to consume excessive CPU or memory during processing, causing the application to slow down or become completely unavailable. This only affects applications that directly evaluate untrusted SpEL input—not all Spring applications are vulnerable. The vulnerability impacts multiple recent versions of Spring Framework across the 5.3, 6.1, 6.2, and 7.0 release lines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-407
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41850 is an algorithmic denial-of-service (CWE-407) flaw in Spring Framework's SpEL expression evaluator. When an application parses and evaluates a specially crafted SpEL expression supplied by an external user or untrusted source, the expression engine can enter pathological evaluation patterns that consume disproportionate system resources. The vulnerability does not involve code execution, authentication bypass, or data exposure—it strictly degrades availability. The attack vector is network-accessible and requires no privilege or user interaction, making it straightforward to exploit from a remote attacker's perspective.
Business impact
Applications using Spring Framework to evaluate user-supplied SpEL expressions face a direct availability risk. A remote attacker can trigger application hangs or crashes without authentication, potentially disrupting critical business services. The impact severity depends on the role of the affected application: if it's a core transaction processor, authentication service, or API gateway, a denial of service could cascade across dependent systems. Organizations relying on Spring for expression evaluation in dynamic query building, rule engines, or template processing should assess their deployment footprint immediately.
Affected systems
VMware Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are vulnerable. The vulnerability only manifests in applications that directly parse and evaluate untrusted SpEL expressions—for example, applications implementing custom expression-based query filters, rule engines, or dynamic templating. Applications that use Spring Framework but do not expose SpEL evaluation to external input are not impacted.
Exploitability
This vulnerability is readily exploitable. The attack requires no authentication, no special privileges, and no user interaction. An attacker only needs network access to submit a malicious SpEL expression to the vulnerable application. Proof-of-concept expressions can be relatively short and trivial to craft once the vulnerability is known. The low complexity of exploitation and high impact on availability make this an attractive target for opportunistic attackers and potential inclusion in automated attack tools.
Remediation
The primary remediation is to upgrade Spring Framework to patched versions. Consult the official VMware Spring Framework security advisory for the specific patched version numbers for your release line. As an interim mitigation, organizations should implement strict input validation and rate limiting on any endpoints that accept SpEL expressions, disable SpEL evaluation where possible, and monitor for unusual CPU or memory spikes that may indicate an active attack.
Patch guidance
Verify the latest patched version from the official VMware Spring Framework security advisory, as version numbers may vary by release branch. Once patched versions are released, prioritize upgrades for production systems that evaluate untrusted SpEL input. Test thoroughly in a staging environment first, as Spring Framework updates can occasionally impact application behavior. For applications on maintenance-only versions (e.g., Spring 5.x), confirm patch availability from VMware before planning upgrades.
Detection guidance
Monitor application logs for repeated or anomalous SpEL evaluation requests, particularly those with unusually complex or deeply nested expressions. Watch for sustained high CPU utilization or memory growth correlated with specific endpoints or request patterns. Network-level detection can flag repeated requests to endpoints known to process expressions. Endpoint protection tools may observe process resource exhaustion (CPU maxing out, memory growth) when this vulnerability is actively exploited. Log aggregation queries targeting expression evaluation errors or timeouts can help surface exploitation attempts.
Why prioritize this
This vulnerability scores 7.5 (HIGH) due to its network accessibility, lack of authentication requirement, and direct impact on application availability. Although it does not permit code execution or data theft, availability is a critical pillar of the CIA triad. The ease of exploitation and the breadth of affected Spring Framework versions elevate urgency. Organizations running Spring in production, especially in customer-facing or mission-critical roles, should treat this as a near-term priority.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects: (1) Network attack vector—the vulnerability is remotely exploitable over the network; (2) Low attack complexity—no special conditions or tricks are required to craft an exploitable expression; (3) No privileges or user interaction required; (4) High impact on availability through resource exhaustion; (5) No confidentiality or integrity impact. The severity is HIGH rather than CRITICAL because exploitation does not lead to unauthorized data access, code execution, or system compromise, only service degradation.
Frequently asked questions
Does this vulnerability affect all Spring Framework applications?
No. Only applications that directly evaluate untrusted, user-supplied SpEL expressions are vulnerable. Typical Spring applications that use expression language for configuration or annotation processing with trusted input are not affected. Audit your application code for any use of SpELExpressionParser or similar APIs that process external input.
Can this vulnerability be exploited without sending a request to the application?
No. An attacker must be able to send a crafted SpEL expression to the vulnerable application over the network. If the application does not expose any endpoint or interface that accepts and evaluates expressions, it cannot be exploited.
What is the difference between this and a regular denial-of-service attack?
This is an algorithmic DoS—the attacker leverages the inefficient evaluation logic of a specific SpEL expression to trigger disproportionate resource consumption. A regular network-based DoS (like a flood attack) attempts to overwhelm the target with volume. This attack uses logic flaw to achieve resource exhaustion with minimal traffic.
If we have a Web Application Firewall (WAF), will it protect us?
A WAF can help by blocking or rate-limiting requests to known vulnerable endpoints, but protection depends on having rules that recognize malicious SpEL patterns. The best defense remains patching. A WAF is a useful supplementary control while patches are being deployed.
This analysis is provided for informational purposes and does not constitute professional security advice. The vulnerability details and affected versions are based on published information current as of the analysis date. For definitive patch version numbers, vendor-specific mitigation guidance, and official security advisories, consult VMware's Spring Framework security page and your organization's security team. No exploit code or attack instructions are provided herein. Always validate patch applicability and conduct thorough testing before deployment in production environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42504HIGHMIME Header CPU Exhaustion Denial of Service – Patch Guidance
- CVE-2026-8889HIGHSecurly Chrome Extension SHA-1 Hashing Vulnerability (CVSS 7.5)
- CVE-2026-11312LOWInfiniStore Algorithmic Complexity DoS Vulnerability
- CVE-2026-8594MEDIUMText::LineFold Denial of Service via Output Duplication
- CVE-2026-41006HIGHSpring HATEOAS Jackson Access-Control Bypass Denial of Service
- CVE-2026-41007HIGHSpring HATEOAS Unbounded Cache Denial-of-Service Vulnerability
- CVE-2026-41722HIGHStored XSS in VMware Cloud Foundation Operations – Privilege-Based Impact
- CVE-2026-41723HIGHVMware Cloud Foundation Operations Stored XSS Vulnerability (CVSS 8.0)