CVE-2026-41855

Vulnerability

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation. This can lead to unauthorized actions via gadget class deserialization. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker needs network access to an untrusted JMS environment. The vulnerability is triggered when the Jackson JMS converters process messages, allowing for arbitrary class instantiation and subsequent deserialization of malicious gadget classes. No specific authentication or user interaction is mentioned as required for exploitation in the available references [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions through gadget class deserialization. This can lead to a compromise of confidentiality, integrity, and availability, potentially resulting in remote code execution or other significant system compromise within the scope of the application using the vulnerable converters [1].

Mitigation

For trusted JMS environments, no mitigation is necessary. For untrusted environments, users should upgrade to the corresponding fixed versions: 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Additionally, limit deserialization by using the new setTrustedPackages(String... trustedPackages) methods. Versions no longer supported are also affected [1].