CVE-2026-41851: Spring Framework SpEL Denial of Service Vulnerability
Spring Framework contains a vulnerability in how it handles Spring Expression Language (SpEL) expressions when applications allow user input to be evaluated as SpEL code. An attacker can craft specially designed expressions that cause the framework's internal cache to grow without bounds, consuming memory until the application becomes unresponsive or crashes. This is a denial-of-service (DoS) condition that requires no authentication and can be triggered remotely.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41851 is a resource exhaustion vulnerability in Spring Framework's SpEL expression evaluation mechanism. The vulnerability stems from unbounded cache growth when processing user-supplied SpEL expressions. When an application dynamically evaluates SpEL (typically via SpelExpressionParser or expression templating features), malicious expressions can trigger cache entries that are never evicted, leading to heap memory exhaustion. The issue affects all versions of Spring Framework that support SpEL evaluation without proper cache bounds: 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The attack vector is network-based with low complexity and requires no special privileges or user interaction.
Business impact
Organizations using Spring Framework in applications that accept user-supplied SpEL expressions face availability risk. An attacker can remotely cause application outages by exhausting heap memory through malicious expression payloads, disrupting service to legitimate users without gaining data access or code execution. This affects any Spring-based web application, microservice, or integration platform that parses or evaluates SpEL from user input—including custom rule engines, template systems, dynamic filtering, or configuration processors that leverage SpEL. Recovery requires manual application restart, extending downtime.
Affected systems
VMware Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 are affected. Any application embedding these versions and exposing SpEL evaluation to untrusted user input is at risk. This includes Spring Boot applications, Spring Cloud services, and custom applications built on Spring Framework that use SpEL for dynamic expression evaluation in features like validation, filtering, templating, or custom DSL implementations.
Exploitability
The vulnerability is readily exploitable. The attack requires only network access and no authentication; an attacker can send a crafted HTTP request or API call containing a malicious SpEL expression to trigger cache exhaustion. The low complexity of the attack—no special gadget chains or environment-specific setup required—combined with the network accessibility of most Spring applications makes this a practical threat. However, the vulnerability only impacts applications that explicitly evaluate user-supplied SpEL, not all Spring applications by default.
Remediation
Upgrade to patched versions immediately. Verify against the vendor advisory for the exact fixed release version for your Spring Framework branch. In the interim, if upgrading is not immediately possible, implement strict input validation and filtering to reject or sanitize SpEL expressions before evaluation. Disable SpEL evaluation of user input where not essential, and consider using safer expression languages or whitelisting allowed expression patterns. Monitor heap memory usage and application logs for signs of memory exhaustion or repeated SpEL parsing errors.
Patch guidance
Apply the security patch released for Spring Framework as of June 27, 2026. Check the official VMware Spring Framework security advisories to identify the exact patched version for each affected branch (7.0.x, 6.2.x, 6.1.x, 5.3.x). Test patches in a non-production environment to ensure compatibility with your application before deploying to production. If you are on a version newer than 7.0.7 or outside the affected ranges, you are not impacted.
Detection guidance
Monitor for signs of resource exhaustion: sustained high heap memory usage, garbage collection pressure, or out-of-memory exceptions correlated with user input containing SpEL syntax. Enable debug logging on Spring's expression parser to log evaluated expressions. Search application logs for unusual SpEL patterns or repeated expression parsing attempts. Network-based detection is challenging; focus on anomalous application behavior (response latency spikes, service unavailability) following requests with complex or unusual expression payloads. Set up alerting for JVM heap usage thresholds and OutOfMemoryError events in Spring applications.
Why prioritize this
While the CVSS score of 5.3 (Medium) reflects limited direct impact—denial of service without data breach—the practical exploitability and low barrier to attack, combined with the prevalence of Spring Framework in enterprise infrastructure, warrant prompt patching. Organizations should prioritize any internet-facing Spring application or microservice that accepts or processes dynamic expressions. Internal applications with restricted input sources can be patched in a normal maintenance window.
Risk score, explained
The CVSS 3.1 score of 5.3 (Medium severity) reflects a network-accessible, low-complexity attack that causes availability impact (memory exhaustion) with no confidentiality or integrity compromise. The score appropriately penalizes the lack of authentication requirement and remote exploitability but does not escalate it to High because the impact is limited to denial of service and requires the application to be using SpEL evaluation on user input—not a universal default in Spring applications. Organizations with critical availability requirements or heavy reliance on affected services may assess internal risk higher.
Frequently asked questions
Do all Spring Framework applications have this vulnerability?
No. Only applications that evaluate user-supplied SpEL expressions are at risk. Many Spring applications use SpEL internally for configuration or property binding without exposing it to user input. Review your application's code for uses of SpelExpressionParser, EvaluationContext, or SpEL in templates (e.g., @Value annotations with user-controlled data) to determine exposure.
Can this vulnerability be exploited without network access?
No. The vulnerability requires network access to submit a malicious SpEL expression to the application. However, the attack does not require authentication or user interaction, so any publicly accessible endpoint that processes SpEL is a potential attack surface.
What does the cache exhaustion actually store, and why does it grow unbounded?
Spring Framework caches compiled SpEL expressions and metadata to avoid recompiling the same expression repeatedly. This vulnerability allows an attacker to craft expressions that are never matched against cached entries, causing new cache entries to be created indefinitely. Over time, this exhausts heap memory. Patched versions implement bounded caches or eviction policies to prevent this.
If I cannot patch immediately, what is the safest workaround?
The safest approach is to disable or restrict SpEL evaluation of untrusted user input. If SpEL is essential, implement strict whitelisting of allowed expression patterns and reject anything else before passing it to the expression parser. Additionally, set JVM heap size limits and monitor for OOM conditions. However, these are temporary measures; patching should be prioritized.
This analysis is based on publicly available vulnerability data as of June 27, 2026. Verify all patch versions and remediation steps against official VMware Spring Framework security advisories before deployment. The information provided is for informational purposes to support security decision-making and should be supplemented with your organization's own risk assessment, testing, and internal security policies. SEC.co does not provide legal advice or guarantee the completeness or accuracy of patched versions or timelines. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41007HIGHSpring HATEOAS Unbounded Cache Denial-of-Service Vulnerability
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-41710MEDIUMSpring Retry Cache Exhaustion Denial of Service
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45023MEDIUMAutoGPT Credit Bypass in Block Execution API