Spring Framework: 13 Vulnerabilities Disclosed on June 9, 2026
Key findings • 13 Spring Framework vulnerabilities disclosed simultaneously on June 9, 2026. • High severity issues include arbitrary class instantiation via JMS and multiple Denial of Servic…
Key findings
- 13 Spring Framework vulnerabilities disclosed simultaneously on June 9, 2026.
- High severity issues include arbitrary class instantiation via JMS and multiple Denial of Service (DoS) vectors in SpEL and static resource handling.
- SpEL evaluation is a common theme, leading to DoS and unintended method invocation.
- Spring MVC and WebFlux applications are affected by path traversal, DoS, information disclosure, and security bypass flaws.
- Vulnerabilities impact a wide range of Spring Framework versions, including 7.0.x, 6.2.x, 6.1.x, and 5.3.x.
- Affected components include SpEL, JMS converters, Multipart requests, static resource resolvers, and Kotlin Router DSL.
On June 9, 2026, Spring Projects released an advisory detailing 13 vulnerabilities discovered in the Spring Framework. These vulnerabilities, disclosed simultaneously, affect multiple components and functionalities, including the Spring Expression Language (SpEL), Spring MVC, and Spring WebFlux. The issues range in severity from Low to High, with several posing significant risks such as arbitrary class instantiation, denial of service, and path traversal.
The Spring Expression Language (SpEL) is implicated in several of these disclosures. CVE-2026-41855, a High severity vulnerability, allows arbitrary class instantiation in untrusted JMS environments, potentially leading to unauthorized actions via gadget class deserialization. Additionally, CVE-2026-41850, CVE-2026-41849, and CVE-2026-41851 all relate to SpEL evaluation, with the former two being High severity Algorithmic Denial of Service (DoS) vulnerabilities due to excessive resource consumption from specially crafted expressions or integer overflows. CVE-2026-41851 also describes a DoS risk from SpEL evaluation triggering unbounded cache growth. CVE-2026-41852, a Low severity issue, permits arbitrary zero-argument method invocation within SpEL, even in restricted contexts.
Spring MVC and WebFlux applications are also affected by a cluster of vulnerabilities. CVE-2026-41843, a Medium severity Path Traversal vulnerability, allows attackers to access unintended resources when resolving static files. This is complemented by CVE-2026-41842, a High severity Denial of Service (DoS) vulnerability in the same static resource resolution process, which can lead to application unavailability. CVE-2026-41841, another Medium severity issue, presents an Information Disclosure risk during static resource resolution.
Further impacting Spring MVC and WebFlux, CVE-2026-41853 describes a Medium severity Multipart request smuggling vulnerability. CVE-2026-41844, a Medium severity vulnerability, allows for 302 redirects to arbitrary external hosts via the 'redirect:' prefix when a '/**' mapping is used without an explicit view name. CVE-2026-41847, a Medium severity vulnerability, highlights a security bypass possibility in Spring WebFlux when using the Kotlin Router DSL. Lastly, CVE-2026-41839, a Medium severity vulnerability, details an escalation attack in WebFlux applications where a compromised subdomain could lead to session ID exchange for an authenticated user's session.
Several of these vulnerabilities have specific affected version ranges. For instance, CVE-2026-41853, CVE-2026-41852, CVE-2026-41851, CVE-2026-41850, CVE-2026-41843, CVE-2026-41842, CVE-2026-41841, and CVE-2026-41839 affect Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48. CVE-2026-41844 affects similar ranges, excluding the 6.2.x branch. CVE-2026-41847 is noted for versions 5.3.0 through 5.3.48. CVE-2026-41855 affects untrusted JMS environments. CVE-2026-41848 addresses ReDoS in AntPathMatcher methods.
Users of the Spring Framework are strongly advised to review the specific vulnerabilities and apply the necessary patches or updates provided by Spring Projects. The breadth of issues, touching on core functionalities like expression evaluation and resource handling, underscores the importance of maintaining up-to-date and secure configurations. The simultaneous disclosure suggests a coordinated effort to address a significant set of security weaknesses within the framework.