Spring Projects: 25 Vulnerabilities Disclosed, Including SpEL Injection and Deserialization Flaws
Key findings • 25 vulnerabilities disclosed for Spring Projects components between June 9-10, 2026. • High severity flaws include SpEL injection, arbitrary class instantiation, and code execu…
Key findings
- 25 vulnerabilities disclosed for Spring Projects components between June 9-10, 2026.
- High severity flaws include SpEL injection, arbitrary class instantiation, and code execution.
- Spring Security, Spring Data, Spring Kafka, and Spring JMS are among the affected projects.
- Denial of Service vulnerabilities are prevalent, impacting heap exhaustion and resource allocation.
- Deserialization risks exist in JMS and Kafka integrations, allowing for potential gadget exploitation.
- Users are urged to update to patched versions to address these widespread security issues.
Spring Projects addressed a significant batch of 25 vulnerabilities disclosed between June 9 and June 10, 2026. The disclosures span various components, including Spring Security, Spring Data, Spring Kafka, and Spring JMS, with several vulnerabilities carrying a High severity rating. These issues present risks ranging from arbitrary class instantiation and SpEL injection to denial of service and open redirect vulnerabilities.
Several vulnerabilities center around Spring Data components. CVE-2026-41729 and CVE-2026-41732 highlight issues in Spring Data REST and JsonPulsarHeaderMapper respectively, where improper handling of trusted packages could lead to arbitrary class instantiation or trusted package exploitation. Similarly, CVE-2026-41731 in JsonKafkaHeaderMapper presents a similar risk. Spring Data REST also suffers from SpEL expression injection via JSON Patch requests (CVE-2026-41729) and insufficient validation of intermediate path segments (CVE-2026-41728), potentially allowing unauthorized access or manipulation.
Spring Security is also impacted by multiple flaws. CVE-2026-47838 involves incorrect handling of X.509 certificate CN values, leading to potential user impersonation. CVE-2026-41008 presents an Open Redirect vulnerability due to insufficient validation of the request_uri parameter in the authorization endpoint. Furthermore, CVE-2026-41003 allows for arbitrary code execution on HTML forms generated by Spring Security filters under certain conditions, while CVE-2026-40988 describes a denial of service vulnerability in the SAML 2.0 REDIRECT binding.
Denial of Service (DoS) vulnerabilities are a recurring theme across several CVEs. CVE-2026-41716 and CVE-2026-41695 in Spring Data Commons exploit the internal property-lookup cache and property path resolution, respectively, allowing for heap exhaustion or resource exhaustion through attacker-controlled inputs. CVE-2026-41713, though not explicitly detailed in the provided input, is mentioned in related coverage as a DoS vector. Additionally, CVE-2026-41721 and CVE-2026-41711 in Spring Data Commons can lead to DoS conditions through excessive memory allocation or StackOverflowExceptions when processing Sort parameters or specially crafted HTTP requests.
Deserialization vulnerabilities are present in the batch, particularly concerning JMS and Kafka. CVE-2026-41855, disclosed on June 9th, allows arbitrary class instantiation via untrusted JMS environments through Jackson converters, potentially leading to gadget class deserialization. CVE-2026-41726 in Spring Kafka's DelegatingDeserializer can lead to heap exhaustion by allowing producers to grow the consumer's heap without bound.
Other notable vulnerabilities include information disclosure in Spring Data REST, where exception cause chains are serialized into HTTP error responses (CVE-2026-41730), and predictable correlation IDs in Spring AMQP's RabbitTemplate (CVE-2026-41701). Spring Security SAML has a low-severity vulnerability (CVE-2026-41694) where SAML Responses and LogoutRequests can be decrypted without a valid signature, potentially acting as a decryption oracle. Spring Data Relational has a blind data inference vulnerability (CVE-2026-41697) when using StringMatcher with externally controlled input.
Spring Projects has released patches and updated versions to address these vulnerabilities. Users are strongly advised to consult the official advisories for specific version information and apply the necessary updates to mitigate these risks. The broad impact across multiple Spring projects underscores the importance of maintaining up-to-date dependencies and reviewing configurations, especially for components handling user input or external data.