Description
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Spring Expression Language evaluation permits attackers to trigger zero‑argument method calls even when evaluation occurs inside read‑only or restricted contexts. The flaw effectively bypasses intended authorization checks, allowing unintended application logic to execute. This is an authorization issue classified as CWE‑863 and CWE‑917, and can result in privilege escalation or undesired behavior within the application.

Affected Systems

Spring Framework versions 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, and 7.0.0 through 7.0.7 are affected. All deployments of these releases that accept SpEL expressions from untrusted sources are potentially vulnerable.

Risk and Exploitability

The CVSS score is 3.7, indicating a low overall severity. The EPSS score is < 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity so far. The likely attack vector is through any component that evaluates SpEL expressions supplied by an attacker; however, the precise conditions required to trigger exploitation are not explicitly detailed in the advisory. Given the low risk rating, the threat remains modest but still exploitable if the application processes untrusted SpEL input.

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Spring Framework release that excludes the vulnerable version ranges (e.g., 7.0.8 or newer, 6.2.19 or newer, 6.1.28 or newer, 5.3.49 or newer).
  • If an upgrade is not immediately feasible, restrict or disable method invocation within SpEL expressions by configuring the application to disallow such calls or by sanitizing user input that may be interpreted as an expression.
  • Review all application code that constructs or accepts SpEL expressions from external sources and ensure they are either removed or strictly validated to prevent unintended method execution.

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

threat_severity

Low


Thu, 11 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Framework
CPEs cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Framework

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Arbitrary Method Invocation in SpEL Expressions
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Spring Spring Framework
Vmware Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-27T21:04:27.613Z

Reserved: 2026-04-22T06:22:08.200Z

Link: CVE-2026-41852

cve-icon Vulnrichment

Updated: 2026-06-09T13:38:39.885Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T05:16:37.407

Modified: 2026-06-11T15:43:23.130

Link: CVE-2026-41852

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-09T03:51:39Z

Links: CVE-2026-41852 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-863

    Incorrect Authorization

  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')