CVE-2026-40985

Vulnerability

Applications using Spring Web Flow versions 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1 are vulnerable when they explicitly configure the WebFlowELExpressionParser or its base class ELExpressionParser [1]. The vulnerability arises from the use of malicious Unified EL expressions during data binding. The code path is reachable only if the useSpringBinding configuration property is not set to true and view states do not use the `` element to declare the properties to bind [1].

Exploitation

An attacker must have low-privileged access to the application and user interaction is required [1]. The attacker needs to craft malicious Unified EL expressions that are processed by the WebFlowELExpressionParser during data binding. No further details on the exact sequence of steps are disclosed in the available references [1].

Impact

Successful exploitation can result in high confidentiality and high integrity impact, but no impact on availability, as reflected in the CVSS vector (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N) [1]. The attacker can potentially read sensitive data or modify data within the application context, depending on the permissions of the application.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version: 4.0.1 (OSS), 4.0.0.1 (Enterprise Support), 3.0.2 (OSS), 3.0.1.1 (Enterprise Support), or 2.5.2 (Enterprise Support only) [1]. No further mitigation steps are necessary [1].