CVE-2026-41850

Vulnerability

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). An application is vulnerable when it accepts and evaluates untrusted or user-controlled SpEL expressions. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted SpEL expression. This expression triggers excessive resource consumption during the evaluation process, leading to application degradation or unavailability. No specific network position, authentication, or user interaction is mentioned as a prerequisite in the available references [1].

Impact

Successful exploitation of this vulnerability can lead to an Algorithmic Denial of Service (DoS) condition. This results in excessive resource consumption, causing application degradation or complete unavailability. The impact is on the availability of the application [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading [1].