CVE-2026-41852: Spring Expression Language Method Invocation Bypass
Spring Expression Language (SpEL) in VMware Spring Framework contains a flaw that allows attackers to invoke arbitrary methods with zero arguments even in contexts designed to restrict or prevent such actions. An attacker with network access could exploit this to trigger unintended application logic, potentially leading to denial of service or information disclosure depending on available methods and application design. This affects multiple versions across the 5.3, 6.1, 6.2, and 7.0 release branches.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in SpEL's evaluation logic, which fails to properly enforce access restrictions on method invocation during expression parsing and execution. Specifically, zero-argument methods can be invoked even when the expression context should be read-only or sandboxed. The affected CWE-863 classification (Incorrect Authorization) indicates the core issue is inadequate access control validation. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects that while exploitability requires specific application conditions (AC:H), the vulnerability is remotely reachable with no authentication needed, and impact is limited to availability.
Business impact
Organizations running vulnerable Spring Framework versions should evaluate whether SpEL is used to process untrusted input in their applications. If so, an attacker could disrupt availability by triggering resource-intensive zero-argument methods, or in some configurations, extract information through side-channel invocation. The low CVSS score and authorization-class nature of the flaw mean impact is typically constrained to application-specific logic; however, organizations relying on Spring's expression sandbox for security boundaries must treat this as a logic-bypass risk.
Affected systems
VMware Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 are affected. All currently-maintained branches contain the vulnerability. Systems running older versions (pre-5.3.0) or patched versions outside these ranges are not affected. Organizations should verify their exact Spring Framework version in build manifests and dependency trees.
Exploitability
Exploitation requires network access and depends on application context (AC:H per CVSS). Not all Spring Framework deployments are vulnerable—only those that parse SpEL expressions containing attacker-controlled input or rely on SpEL restrictions as a security boundary. The barrier to exploitation is higher than typical remote code execution flaws; the attacker must understand the target application's available methods and construct a zero-argument invocation that causes harm. This is not listed on the CISA Known Exploited Vulnerabilities catalog, indicating no active weaponization has been tracked as of publication.
Remediation
Update Spring Framework to a patched version outside the affected ranges. VMware has released patches addressing the SpEL evaluation logic; consult the official Spring Security and Framework advisories for specific version numbers and availability across the 5.3, 6.1, 6.2, and 7.0 lines. If immediate patching is not feasible, restrict untrusted input to SpEL expressions and avoid relying on read-only context markers as a sole security control. Code review of SpEL usage is recommended to identify risky patterns.
Patch guidance
Verify the specific patched version numbers in VMware's official Spring Framework security advisory, which will list the first non-vulnerable build for each affected branch. Patches are typically released concurrently across all supported versions. Test patches in a non-production environment to ensure compatibility with your application dependencies before rolling out to production. Given the low severity and authorization-focused nature of the flaw, patching can often be scheduled in a normal maintenance window rather than as an emergency response.
Detection guidance
Monitor application logs for SpEL parsing exceptions or unexpected method invocations on system or utility classes. Use static analysis tools (e.g., Checkmarx, SonarQube) to identify where SpEL expressions are evaluated, particularly those processing user input or external data. Dynamic testing should include fuzzing SpEL expressions with method invocation payloads to confirm whether read-only contexts are enforced. Check dependency manifests (pom.xml, gradle.build) for Spring Framework versions within the affected ranges.
Why prioritize this
This vulnerability has a low CVSS score (3.7) and is not on the KEV catalog, indicating limited active exploitation risk. However, prioritization should account for whether your application parses untrusted SpEL expressions. If SpEL is not used, or only processes internal/trusted data, this is a routine patch candidate. If SpEL processes user-supplied input or is relied upon for authorization enforcement, elevate priority to within the next maintenance cycle. The multi-version impact across four release branches means most Spring Framework users should plan patching, though urgency varies by use case.
Risk score, explained
The CVSS 3.1 score of 3.7 (LOW) reflects three key factors: (1) the vulnerability does not permit remote code execution or confidentiality breach; (2) exploitation requires high complexity (AC:H) in application-specific contexts; and (3) impact is limited to availability and only when attacker-controlled methods are available. The severity is not inflated by authentication requirements (PR:N) or broad attack surface. The CWE-863 authorization flaw classification accurately describes the root cause, but does not elevate score because the vulnerability class typically yields lower CVSS outcomes without confidentiality or integrity violations.
Frequently asked questions
Do all Spring Framework applications need to patch this vulnerability?
Not necessarily. Vulnerability impact is limited to applications that evaluate SpEL expressions containing untrusted input or rely on SpEL's read-only context as a security boundary. Applications using Spring solely for dependency injection and standard MVC patterns with no dynamic SpEL evaluation are at minimal risk. Audit your codebase to identify SpEL usage (look for @Value annotations with expressions, SpELParserConfiguration, or StandardEvaluationContext) and prioritize patching those components.
What is the difference between this vulnerability and a code injection flaw?
This is an authorization bypass, not an injection vulnerability. The attacker is not injecting arbitrary code; instead, they are invoking zero-argument methods that already exist in the application or libraries on the classpath. The vulnerability is that access restrictions intended to prevent such invocation are not enforced. The impact is therefore constrained to the methods available in the application, not arbitrary command execution.
Is this vulnerability exploitable without network access?
The CVSS vector indicates network accessibility (AV:N), but actual exploitability depends on whether the application exposes SpEL evaluation to an attacker. If SpEL is only used to process internal configuration or trusted data sources, network access alone is not sufficient. Conversely, if SpEL is used in a web endpoint, API parameter, or message queue processor, network-based exploitation is possible. Review your application architecture to determine exposure.
What should we do if we cannot patch immediately?
Implement input validation to reject or sanitize user-supplied data before it reaches SpEL evaluation. Avoid marking evaluation contexts as read-only if you do not have confidence in the restriction. Consider disabling SpEL processing for untrusted sources entirely. Implement logging and alerting on SpEL exceptions or unusual method invocations. These are temporary mitigations; patching should remain on your roadmap within the next 1-2 maintenance cycles.
This analysis is based on publicly available information as of the publication date and does not constitute professional security advice. Organizations should verify patch availability and compatibility with their specific Spring Framework versions against VMware's official security advisories before deploying updates. Testing in a non-production environment is strongly recommended. The absence of a CVSS score update or KEV listing does not guarantee absence of exploit development; threat actors may begin research after publication. SEC.co does not warrant the completeness or accuracy of external references and recommends consulting primary vendor documentation for definitive vulnerability and remediation details. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45426LOWApache Airflow Log-Server JWT Validation Flaw Enables Cross-Dag Access
- CVE-2026-50266LOWOpenStack Neutron Multi-Tenant RBAC Bypass and Network Spoofing
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler