CVE-2026-6125
Description
A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Code injection in Dromara warm-flow's SpelHelper.parseExpression via listenerPath/skipCondition/permissionFlag, leading to remote code execution.
Vulnerability
Description A code injection vulnerability exists in Dromara warm-flow up to version 1.8.4. The flaw resides in the SpelHelper.parseExpression function within the workflow definition handler at /warm-flow/save-json. By manipulating the listenerPath, skipCondition, or permissionFlag arguments, an attacker can inject arbitrary SpEL expressions, resulting in code execution [3][4].
Attack
Vector The vulnerability can be exploited remotely without authentication. An attacker sends a crafted request to the /warm-flow/save-json endpoint, supplying malicious values for the vulnerable parameters. The exploit has been publicly released, increasing the risk of active exploitation [4].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server running warm-flow. This could lead to full compromise of the application, data theft, or further lateral movement within the network. The CVSS v3.1 base score is 6.3 (Medium), indicating significant potential for damage.
Mitigation
As of now, the official Dromara warm-flow repository has not released a patch specifically for this CVE. Users are advised to update to a version later than 1.8.4 if available, or apply mitigations such as restricting access to the vulnerable endpoint and sanitizing input parameters [3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.dromara.warm:warm-flow-plugin-modes-sbMaven | < 1.8.5 | 1.8.5 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-822v-8w6h-5jxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-6125ghsaADVISORY
- gitee.com/dromara/warm-flow/issues/IHURVQnvdWEB
- vuldb.com/submit/793322nvdWEB
- vuldb.com/vuln/356989nvdWEB
- vuldb.com/vuln/356989/ctinvdWEB
News mentions
0No linked articles in our index yet.