Description
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.

Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring Statemachine 3.2.0 through 3.2.4
Published: 2026-06-23
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Statemachine’s Kryo‑based persistence backends (JPA, MongoDB, Redis, ZooKeeper) deserialize persisted state‑machine contexts without enforcing a class allowlist. This flaw, identified as CWE‑502, allows an attacker to supply a crafted serialized payload that is executed within the application JVM, leading to remote code execution. The vulnerability is a classic case of deserialisation of untrusted data.

Affected Systems

The affected product is Spring Statemachine provided by the Spring framework. Versions 4.0.0 through 4.0.1 and 3.2.0 through 3.2.4 are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity flaw. The EPSS score is not available, so the current exploitation probability is unknown, but the lack of a class allowlist provides a clear attack surface. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploits as of now. However, the likely attack vector involves an adversary inserting malicious serialized data into one of the supported persistence backends; if this data is later deserialized by the application, arbitrary code will run with the JVM’s privileges.

Generated by OpenCVE AI on June 23, 2026 at 23:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Statemachine to a version that implements a class allowlist (for example, 4.0.2 or later, or 3.2.5 or later)
  • If an upgrade is not immediately feasible, disable Kryo‑based persistence backends or purge any existing persisted state to prevent deserialization of malicious data
  • Configure the application to restrict deserialization to a trusted whitelist of classes or use a security manager to enforce scope limits

Generated by OpenCVE AI on June 23, 2026 at 23:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41862 cve-icon
History

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Unrestricted Deserialization in Spring Statemachine Persistence Backends

Tue, 23 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-23T20:59:02.378Z

Reserved: 2026-04-22T06:22:10.082Z

Link: CVE-2026-41862

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T23:45:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data