CVE-2026-41850 - Vulnerability Details - OpenCVE

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://spring.io/security/cve-2026-41850

History

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title		Spring Framework Algorithmic Denial of Service via SpEL Expressions
Weaknesses		CWE-407
References		https://spring.io/security/cve-2026-41850
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T03:51:22.479Z

Updated: 2026-06-09T03:51:22.479Z

Reserved: 2026-04-22T06:22:08.200Z

Link: CVE-2026-41850

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T05:16:37.177

Modified: 2026-06-09T05:16:37.177

Link: CVE-2026-41850

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41850", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-22T06:22:08.200Z", "datePublished": "2026-06-09T03:51:22.479Z", "dateUpdated": "2026-06-09T03:51:22.479Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-09T03:51:22.479Z"}, "title": "Spring Framework Algorithmic Denial of Service via SpEL Expressions", "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "cweId": "CWE-407", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can supply user-controlled SpEL expressions can provide a specially crafted expression that triggers excessive resource consumption during evaluation, leading to application degradation or unavailability."}]}], "affected": [{"vendor": "Spring", "product": "Spring Framework", "defaultStatus": "unaffected", "versions": [{"status": "affected", "version": "7.0.0", "lessThan": "7.0.8", "versionType": "custom"}, {"status": "affected", "version": "6.2.0", "lessThan": "6.2.19", "versionType": "custom"}, {"status": "affected", "version": "6.1.0", "lessThan": "6.1.28", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.49", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41850"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}