CVE-2026-41851

Vulnerability

Applications accepting user-supplied Spring Expression Language (SpEL) expressions are vulnerable if the application caches parsed SpEL expressions and an attacker can trigger unbounded cache growth. This affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker can exploit this vulnerability by causing a high volume of SpEL expression evaluations, potentially millions, even with a single expression with dynamic inputs. This requires the application to accept and evaluate untrusted or user-controlled SpEL expressions and to cache these parsed expressions [1].

Impact

Successful exploitation leads to unbounded cache growth, resulting in memory exhaustion and a Denial of Service (DoS) for the affected application. The attacker gains no other privileges or access beyond disrupting the service [1].

Mitigation

Users should upgrade to the following fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Versions that are no longer supported are also affected. No further mitigation steps are necessary [1].