CVE-2026-41851 - Vulnerability Details

- Spring Framework Denial of Service via Unbounded Cache in SpEL

Description

Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Published: 2026-06-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Applications that accept user-supplied Spring Expression Language (SpEL) expressions can be exposed to a denial‑of‑service condition when an evaluated expression induces unbounded growth in an internal cache. This memory exhaustion can cause the application to become slow or crash, disrupting availability for legitimate users. The weakness is a classic unbounded memory growth issue, identified as CWE‑770.

Affected Systems

Spring Framework is affected. The vulnerable releases include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability. No EPSS data are available, and the vulnerability has not been listed in CISA’s KEV catalog. The likely attack vector is remote, via injection of crafted SpEL expressions provided by an external user or attacker. Exploitation requires that the application evaluate such expressions at run time, making the risk directly tied to the use of SpEL in the code base.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Spring

Spring Framework

unaffected

Version	Status	Constraints
`7.0.0`	affected	< 7.0.8
`6.2.0`	affected	< 6.2.19
`6.1.0`	affected	< 6.1.28
`5.3.0`	affected	< 5.3.49

Configuration 1 [-]

OR	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::
	cpe:2.3:a:vmware:spring_framework::::::::

No data.

Vendor Product Confidence Versions

Spring

Spring Framework

100%

Version	Status	Scheme	Platform
`[7.0.0,7.0.8)`	affected	semver	—
`[6.2.0,6.2.19)`	affected	semver	—
`[6.1.0,6.1.28)`	affected	semver	—
`[5.3.0,5.3.49)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Spring Framework to the latest released version that fixes the cache growth issue (7.0.8 or later, 6.2.19 or later, 6.1.28 or later, or 5.3.49 or later).
If an immediate upgrade is not feasible, configure the application to limit the size of the SpEL evaluation cache or monitor memory usage to detect and mitigate abnormal growth.
Disable or remove unnecessary SpEL expression evaluation if the application does not require it; alternatively, sanitize and validate input expressions to reduce the risk of executing arbitrary SpEL code.

Generated by OpenCVE AI on June 9, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://spring.io/security/cve-2026-41851

History

Tue, 09 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware spring Framework
CPEs		cpe:2.3:a:vmware:spring_framework::::::::
Vendors & Products		Vmware Vmware spring Framework

Tue, 09 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 06:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spring Spring spring Framework
Vendors & Products		Spring Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title		Spring Framework Denial of Service via Unbounded Cache in SpEL
Weaknesses		CWE-770
References		https://spring.io/security/cve-2026-41851
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Spring Spring Framework

Vmware Spring Framework

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T03:51:32.074Z

Updated: 2026-06-09T13:34:58.008Z

Reserved: 2026-04-22T06:22:08.200Z

Link: CVE-2026-41851

Vulnrichment

Updated: 2026-06-09T13:34:55.071Z

NVD

Status : Analyzed

Published: 2026-06-09T05:16:37.297

Modified: 2026-06-09T20:35:44.357

Link: CVE-2026-41851

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T05:45:26Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object