Description
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.

Affected versions:
Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Published: 2026-06-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. This flaw permits unintended evaluation of expressions, which can result in the execution of arbitrary code, manipulation of application data, or other unintended behavior. The vulnerability is an expression injection weakness identified as CWE-917.

Affected Systems

Spring Web Flow versions 4.0.0, 3.0.0 through 3.0.1, and 2.5.0 through 2.5.1 are affected. These versions are employed within Spring-based web applications that use the Web Flow module.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified currently. The vulnerability is not listed in CISA’s KEV catalog. It is inferred that an attacker could deliver malicious Unified EL expressions via web requests to a configured parser, potentially enabling remote code execution or other unauthorized actions.

Generated by OpenCVE AI on June 11, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched version of Spring Web Flow available from the vendor
  • Disable or remove the WebFlowELExpressionParser configuration if not required
  • Implement strict input validation and sanitization for any Unified EL expressions before evaluation

Generated by OpenCVE AI on June 11, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40985 cve-icon cve-icon
History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Web Flow
Vendors & Products Spring
Spring spring Web Flow

Thu, 11 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
Title Data Binding Vulnerability in Spring Web Flow with Unified EL Parser
Weaknesses CWE-917
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Spring Spring Web Flow
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T12:47:09.689Z

Reserved: 2026-04-16T02:19:09.388Z

Link: CVE-2026-40985

cve-icon Vulnrichment

Updated: 2026-06-11T12:47:06.460Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T05:16:33.757

Modified: 2026-06-11T15:21:30.653

Link: CVE-2026-40985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:27Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')