CVE-2026-41851 Overview
CVE-2026-41851 affects Spring Framework applications that evaluate user-supplied Spring Expression Language (SpEL) expressions. The vulnerability allows remote attackers to trigger unbounded cache growth during expression evaluation, leading to memory exhaustion and a Denial of Service (DoS) condition. The flaw is classified under [CWE-770: Allocation of Resources Without Limits or Throttling]. No authentication or user interaction is required for exploitation, and the attack vector is network-based.
Critical Impact
Remote unauthenticated attackers can exhaust application memory by submitting crafted SpEL expressions, causing service outages in any Spring Framework application that evaluates untrusted expressions.
Affected Products
- Spring Framework 7.0.0 through 7.0.7
- Spring Framework 6.2.0 through 6.2.18; 6.1.0 through 6.1.27
- Spring Framework 5.3.0 through 5.3.48
Discovery Timeline
- 2026-06-09 - CVE-2026-41851 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41851
Vulnerability Analysis
The vulnerability resides in Spring Framework's SpEL evaluation pipeline. SpEL is a powerful expression language that supports querying and manipulating object graphs at runtime. When an application passes user-supplied input to a SpEL parser and evaluator, the framework internally caches compiled expression artifacts to improve performance on repeated evaluations.
An attacker can craft a stream of distinct or specially shaped SpEL expressions that force the framework to populate internal caches without bound. Each unique expression adds entries that are not evicted, causing heap memory consumption to grow until the Java Virtual Machine throws OutOfMemoryError or the application becomes unresponsive due to garbage collection pressure.
Root Cause
The root cause is missing resource throttling on cache structures used during SpEL evaluation. The framework does not enforce a maximum cache size or eviction policy sufficient to bound memory usage when expression inputs come from untrusted sources. This aligns with CWE-770, where allocation occurs without limits.
Attack Vector
Exploitation requires the target application to expose an endpoint or interface that evaluates user-controlled SpEL expressions. The attacker submits a sequence of expressions over the network, repeatedly forcing the evaluator to cache new entries. No credentials are required when the affected endpoint is reachable by anonymous users. The impact is limited to availability; confidentiality and integrity are not affected.
Technical details are described in the Spring Security Advisory CVE-2026-41851.
Detection Methods for CVE-2026-41851
Indicators of Compromise
- Sustained heap memory growth in Java processes running Spring Framework without a corresponding increase in legitimate workload.
- Frequent full garbage collection cycles followed by OutOfMemoryError entries in application logs.
- High volumes of HTTP requests to endpoints that accept expression-language input, often with varied or randomized payloads.
Detection Strategies
- Inventory all application endpoints that parse or evaluate SpEL expressions from request parameters, headers, or body content.
- Inspect application code for calls to SpelExpressionParser.parseExpression() and Expression.getValue() that receive untrusted input.
- Correlate JVM memory metrics with request rates to identify abnormal growth driven by expression evaluation paths.
Monitoring Recommendations
- Enable JVM heap and garbage collection metrics through JMX, Micrometer, or Prometheus exporters and alert on sustained upward trends.
- Log SpEL parser invocations with input size and source IP to support forensic review and rate analysis.
- Monitor web application firewall (WAF) telemetry for repeated expression-shaped payloads such as T(...), #this, and ${...} patterns.
How to Mitigate CVE-2026-41851
Immediate Actions Required
- Upgrade Spring Framework to a fixed release as referenced in the Spring Security Advisory CVE-2026-41851.
- Audit application code and remove or restrict any path that evaluates user-supplied SpEL expressions.
- Apply rate limiting and request size limits on endpoints that accept expression input until patches are deployed.
Patch Information
Pivotal/VMware addressed the issue in updated Spring Framework releases beyond the affected ranges 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7. Consult the vendor advisory for the specific fixed version corresponding to your supported branch.
Workarounds
- Replace user-supplied SpEL evaluation with a restricted expression evaluator or a safer parser that does not accept arbitrary input.
- Use SimpleEvaluationContext instead of StandardEvaluationContext to constrain available operations when SpEL must be used.
- Place affected endpoints behind authentication and a WAF rule that blocks expression-language syntax in user input.
# Example Maven dependency update - replace with the fixed version from the vendor advisory
mvn versions:set-property -Dproperty=spring.version -DnewVersion=<fixed-version>
mvn clean verify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
