CVE-2026-41852

Vulnerability

A vulnerability exists in the Spring Expression Language (SpEL) evaluation logic that permits arbitrary zero-argument method invocation. This issue can occur even within restricted or read-only contexts. The vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. An application is vulnerable if it evaluates untrusted or user-controlled SpEL expressions [1].

Exploitation

An attacker can exploit this vulnerability by providing a crafted SpEL expression that invokes a zero-argument method. The vulnerability does not require network access, privileges, or user interaction, but it does require the application to evaluate untrusted SpEL expressions. The exact steps involve crafting an expression that bypasses context restrictions to call unintended application logic [1].

Impact

Successful exploitation allows an attacker to invoke unintended application logic. While the vulnerability does not directly lead to information disclosure or file manipulation, the invocation of arbitrary methods can result in denial of service or other unpredictable application behavior, depending on the methods that can be invoked [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, and 5.3.49. No further mitigation steps are necessary beyond upgrading. Versions no longer supported are also affected [1].