Bug 2486721 (CVE-2026-41852)

Summary: CVE-2026-41852 spring-framework: org.springframework/spring-expression: Spring Framework: SpEL vulnerability allows unintended application logic invocation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abrianik, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bmaxwell, boliveir, bstansbe, dlofthou, drichtar, ehugonne, fmongiar, ggrzybek, gmalinko, gtanzill, istudens, ivassile, iweiss, janstey, jbuscemi, jnethert, jraez, mosmerov, mposolda, msvehla, nwallace, parichar, pdelbell, pesilva, pjindal, pmackay, rhel-process-autobot, rmartinc, rstancel, rstepani, sdawley, ssilvert, sthorger, tasato, thjenkin, vdosoudi, vmuzikar, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Framework. A vulnerability in the Spring Expression Language (SpEL) evaluation logic allows an attacker to invoke arbitrary zero-argument methods, even in restricted contexts. This can lead to the execution of unintended application logic, potentially resulting in a Denial of Service (DoS).
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 05:02:30 UTC
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.