HIGH 8.1

CVE-2026-41855: Spring Framework JMS Deserialization Vulnerability (CVSS 8.1)

Spring Framework's JMS message converters contain a deserialization flaw that allows attackers to instantiate arbitrary classes when processing untrusted messages from a JMS broker. An attacker with access to a JMS broker—or one who can inject malicious messages into it—can exploit gadget classes present on the application's classpath to execute unauthorized actions, including potential remote code execution. The vulnerability affects multiple recent versions of Spring Framework across several release branches.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-29

NVD description (verbatim)

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41855 is a deserialization vulnerability in Spring Framework's JMS support layer, specifically in the MappingJackson2MessageConverter and JacksonJsonMessageConverter classes. These converters use Jackson to deserialize JSON payloads from JMS messages without sufficient validation. An attacker crafting a malicious message can embed serialized gadget class references that, when deserialized, trigger unintended object instantiation and method execution. The attack requires either direct JMS broker access or the ability to inject messages into a broker that the vulnerable application consumes from. The vulnerability is present in Spring Framework versions 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48.

Business impact

Organizations running vulnerable Spring Framework versions that use JMS message converters face risk of unauthorized actions executed within the application context. Depending on gadget classes available on the classpath and application permissions, this could range from data exfiltration to remote code execution. The impact is elevated in systems where JMS brokers are shared across untrusted networks or where message sources are not strictly validated. Remediation requires promptly updating to patched versions, and organizations should assess whether their JMS deployments enforce broker access controls and message source validation.

Affected systems

Any application using Spring Framework versions 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, or 7.0.0–7.0.7 that enables JMS message conversion via MappingJackson2MessageConverter or JacksonJsonMessageConverter is potentially affected. The vulnerability requires that the application processes messages from a JMS source and that an attacker can reach the JMS broker or inject messages into it. Applications using only other message conversion methods (e.g., SimpleMessageConverter without Jackson) are not affected.

Exploitability

Exploitation requires network or broker-level access to inject a malicious JMS message and knowledge of gadget classes present on the target application's classpath. The CVSS vector (AV:N/AC:H) indicates network accessibility but high complexity. While the attack is not trivial, it is feasible for attackers with broker compromise or message-injection capabilities. The lack of current KEV status suggests this vulnerability has not yet been widely exploited in known active attacks, but organizations should not rely on this as a reason to delay patching.

Remediation

Update Spring Framework to a patched version: for the 7.0 branch, upgrade to 7.0.8 or later; for 6.2, upgrade to 6.2.19 or later; for 6.1, upgrade to 6.1.28 or later; for 5.3, upgrade to 5.3.49 or later. Verify the exact patched version against the official VMware Spring Framework security advisory. Additionally, implement defense-in-depth measures: restrict JMS broker access to trusted clients only, validate message sources, and consider disabling Jackson-based message conversion if it is not required. Monitor classpath dependencies for unnecessary gadget libraries that could be exploited if deserialization occurs.

Patch guidance

Apply the following updates based on your Spring Framework version branch: (1) Spring 7.0.x: update to 7.0.8 or later; (2) Spring 6.2.x: update to 6.2.19 or later; (3) Spring 6.1.x: update to 6.1.28 or later; (4) Spring 5.3.x: update to 5.3.49 or later. Verify exact patch versions in the official VMware Spring Framework security advisory before deployment. Test updates in a non-production environment to ensure compatibility with your message conversion workflows. After patching, restart all instances consuming JMS messages.

Detection guidance

Monitor for deserialization attempts on the classpath by enabling debug logging on org.springframework.jms.support.converter classes. Search application logs for unexpected object instantiation or ClassNotFoundException errors during JMS message processing, which may indicate failed gadget exploitation attempts. Use Java-based intrusion detection or bytecode analysis tools to track deserialization calls. If you suspect exploitation, examine JMS broker audit logs for unusual message payloads or sources. Network-level detection is difficult without payload inspection; focus on access control logs for the JMS broker itself.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH CVSS severity (8.1), potential for remote code execution through gadget deserialization, and the widespread use of Spring Framework in enterprise applications. Although the attack requires broker-level access or message injection capability, organizations with less-restrictive JMS broker security postures face elevated risk. The broad version range affected increases the likelihood that some deployments are vulnerable. Immediate patching is recommended for systems that process JMS messages from any untrusted or shared-broker sources.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible attack requiring high complexity to execute, with high impact on confidentiality, integrity, and availability if successful. The complexity is elevated because an attacker must craft a precise gadget payload and gain broker access or injection capability. However, the potential for arbitrary code execution and the presence of gadget classes in many enterprise classpaths elevates the practical risk. The lack of user interaction (UI:N) and the ability to bypass the broker's normal authorization boundaries further justify the high score.

Frequently asked questions

Do I need JMS to be exposed to the internet for this vulnerability to be exploited?

No. Exploitation requires access to a JMS broker or the ability to inject messages into one the application consumes from. This could occur via direct network access, a compromised internal system, or a shared broker in a multi-tenant environment. If your JMS broker is not restricted to trusted internal clients only, you are at higher risk.

What if I'm using Spring Framework but not using JMS message converters?

If your application does not use MappingJackson2MessageConverter or JacksonJsonMessageConverter for JMS message conversion, you are not affected by this vulnerability. However, verify your Spring JMS configuration and message handling code to confirm. If you use only alternative message conversion methods, patching is less urgent but still recommended as part of normal security maintenance.

Can this vulnerability be exploited without gadget classes on my classpath?

In general, no. Gadget classes—typically found in libraries like commons-collections, spring-core, or other common dependencies—are required to chain method calls during deserialization and achieve code execution. If your application classpath contains no exploitable gadget chains, the risk is significantly reduced, though the deserialization flaw itself remains a security concern. Use tools like ysoserial to scan your classpath for known gadget chains.

Does disabling Jackson or switching message converters eliminate the risk?

Yes, if you can safely disable Jackson-based message conversion and use a safer alternative (such as text-based serialization with explicit parsing), you eliminate the deserialization risk from this specific vulnerability. However, before making this change, ensure that your application logic does not depend on Jackson for message processing, and test thoroughly in a staging environment.

This analysis is provided for informational purposes and reflects information available as of the publication date. Patch version numbers and specific remediation steps should be verified against the official VMware Spring Framework security advisory before deployment. The vulnerability's exploitability may vary based on your specific JMS broker configuration, message source restrictions, and classpath dependencies. No guarantees are made regarding the completeness or accuracy of detection or remediation guidance. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).