Description
In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization.

Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Published: 2026-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from the Spring JMS converters that allow Jackson to instantiate arbitrary classes during message deserialization. An attacker sending a crafted JMS message can trigger such instantiation, leading to execution of malicious code in the process and compromising confidentiality, integrity, and availability. The flaw falls under CWE‑502, unsafe deserialization.

Affected Systems

Spring Framework versions 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7 are affected. These versions run in any Java application that uses org.springframework.jms.support.converter.MappingJackson2MessageConverter or the newer JacksonJsonMessageConverter in an environment where JMS messages can come from untrusted sources.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity and the lack of an EPSS score makes the actual exploitation probability unclear, but unsafe deserialization makes exploitation practical. The vulnerability is not listed in the CISA KEV catalog. Attackers would most likely target systems where the application exposes a publicly reachable JMS broker or accepts messages from external partners. Once abused, arbitrary code may be executed on the application host.

Generated by OpenCVE AI on June 9, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Framework to a patched release (e.g., 7.0.8 or later, 6.2.19 or later, 6.1.28 or later, or 5.3.49 or later).
  • Configure the Jackson converters to disable default typing or apply a strict whitelist of allowed classes to prevent arbitrary instantiation.
  • Restrict JMS traffic to trusted sources, isolate the JMS broker from external networks, and apply firewall rules to limit exposure.

Generated by OpenCVE AI on June 9, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41855 cve-icon cve-icon
History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Framework
Vendors & Products Spring
Spring spring Framework

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Title Spring Framework Unsafe Deserialization via Jackson JMS Converters
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spring Spring Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:24:50.073Z

Reserved: 2026-04-22T06:22:10.081Z

Link: CVE-2026-41855

cve-icon Vulnrichment

Updated: 2026-06-09T13:24:43.347Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:37.770

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T05:45:26Z

Weaknesses