Bug 2486721 (CVE-2026-41852) - CVE-2026-41852 spring-framework: org.springframework/spring-expression: Spring Framework: SpEL vulnerability allows unintended application logic invocation
Summary: CVE-2026-41852 spring-framework: org.springframework/spring-expression: Sprin...
Keywords:
Status: NEW
Alias: CVE-2026-41852
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 05:02 UTC by OSIDB Bzimport
Modified: 2026-06-29 06:41 UTC (History)
45 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 05:02:30 UTC
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.


Note You need to log in before you can comment on or make changes to this bug.