CVE-2026-41850 Overview
CVE-2026-41850 is an algorithmic denial of service vulnerability in the Spring Framework Spring Expression Language (SpEL) evaluator. Applications that evaluate user-supplied SpEL expressions can be forced into excessive resource consumption when an attacker submits a specially crafted expression. The result is application degradation or full unavailability under modest attacker bandwidth.
The issue is classified under [CWE-407] (Inefficient Algorithmic Complexity) and is exploitable over the network without authentication or user interaction. Spring Framework is a foundational component in a large portion of Java web applications, which expands the potential exposure footprint.
Critical Impact
An unauthenticated remote attacker can exhaust CPU and memory on any Spring application that evaluates untrusted SpEL input, taking the service offline.
Affected Products
- Spring Framework 7.0.0 through 7.0.7
- Spring Framework 6.2.0 through 6.2.18, and 6.1.0 through 6.1.27
- Spring Framework 5.3.0 through 5.3.48
Discovery Timeline
- 2026-06-09 - CVE-2026-41850 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41850
Vulnerability Analysis
The Spring Expression Language is a runtime expression evaluator that supports method invocation, property access, collection operations, and complex operator chains. The parser and evaluator perform work proportional to expression structure, not just expression length. Certain operator combinations cause evaluation cost to grow non-linearly relative to input size.
When an application passes attacker-controlled input directly into a SpEL ExpressionParser, the attacker controls that structure. A short payload can trigger evaluation paths that consume disproportionate CPU cycles or allocate excessive memory. Concurrent requests amplify the impact and exhaust thread pools and heap capacity.
This vulnerability affects confidentiality and integrity only indirectly. The direct impact is availability: the JVM stalls under garbage collection pressure or saturates CPU cores executing the expression.
Root Cause
The root cause is missing complexity bounds inside SpEL evaluation. The evaluator does not enforce limits on expression nesting depth, repetition operators, or intermediate result size before execution begins. Inputs that pass syntactic validation can still produce algorithmic blow-up at runtime.
Attack Vector
The attack vector is any HTTP endpoint, message handler, or template that forwards user input into SpEL evaluation. Common exposure patterns include dynamic rule engines, query builders, custom annotation processors, and templating components that resolve #{...} expressions from request data. The attacker submits a crafted expression string and the server consumes resources during evaluation. The vulnerability requires no authentication when the exposed endpoint is public.
No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Spring Security Advisory for vendor technical details.
Detection Methods for CVE-2026-41850
Indicators of Compromise
- Sustained CPU saturation on Spring application JVMs without a corresponding increase in legitimate request volume.
- Repeated HTTP requests containing SpEL syntax markers such as #{, T(, or long chains of arithmetic and string operators in parameters, headers, or JSON bodies.
- Thread dumps showing many threads stuck inside org.springframework.expression.spel evaluation frames.
- Application response time degradation correlated with specific request signatures from a small set of source IPs.
Detection Strategies
- Inspect web access logs for request parameters that contain SpEL meta-characters and exceed normal length thresholds.
- Instrument the application to log expression strings before evaluation and alert on entries above a defined complexity budget.
- Use Java Flight Recorder or async-profiler to capture sampled stack traces during CPU spikes and confirm SpEL frames are dominant.
Monitoring Recommendations
- Track per-endpoint p99 latency and JVM CPU utilization, and alert on sudden divergence between request rate and resource cost.
- Monitor garbage collection pause time and old-generation occupancy on services that expose any SpEL-backed feature.
- Forward web application firewall denial events to centralized logging and correlate against application latency metrics.
How to Mitigate CVE-2026-41850
Immediate Actions Required
- Upgrade Spring Framework to a patched release as listed in the Spring Security Advisory.
- Inventory all application code paths that call SpelExpressionParser.parseExpression or evaluate @Value annotations against external input.
- Remove or gate any endpoint that evaluates SpEL expressions sourced from untrusted clients.
- Apply request size and rate limits at the proxy or API gateway to reduce attack surface during the patch window.
Patch Information
VMware has published fixed versions through the official Spring security channel. Administrators should upgrade to the corresponding patched line for their branch: 7.0.x, 6.2.x, 6.1.x, or 5.3.x. Refer to the Spring Security Advisory for the exact fixed version numbers and supported upgrade paths.
Workarounds
- Replace user-supplied SpEL evaluation with a restricted expression grammar or a static configuration model.
- Configure SpEL to use SimpleEvaluationContext instead of StandardEvaluationContext to limit available operations on untrusted input.
- Enforce input length and character-class filters on any parameter that may reach an expression parser.
- Place strict timeouts on request handlers that perform expression evaluation so a single request cannot monopolize a worker thread.
# Example Maven dependency override to enforce a patched Spring Framework version
# Replace <PATCHED_VERSION> with the fixed release from the Spring advisory
mvn versions:use-dep-version \
-Dincludes=org.springframework:spring-expression \
-DdepVersion=<PATCHED_VERSION> \
-DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
