Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41852

CVE-2026-41852: VMware Spring Framework RCE Vulnerability

CVE-2026-41852 is a remote code execution flaw in VMware Spring Framework affecting Spring Expression Language evaluation. Attackers can invoke arbitrary methods to execute unintended logic. This article covers affected versions, technical details, impact assessment, and mitigation strategies.

Published:

CVE-2026-41852 Overview

CVE-2026-41852 is an authorization flaw in the Spring Expression Language (SpEL) evaluation logic within VMware Spring Framework. The vulnerability allows arbitrary zero-argument method invocation even within restricted or read-only SpEL evaluation contexts. An attacker who can supply or influence SpEL expressions may invoke unintended application logic that should be blocked by the configured restrictions. The flaw is categorized under [CWE-863] Incorrect Authorization. Affected releases include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

Critical Impact

A network-reachable attacker can bypass SpEL evaluation restrictions to invoke zero-argument methods on accessible objects, potentially triggering unintended application behavior and limited integrity impact.

Affected Products

  • Spring Framework 7.0.0 through 7.0.7
  • Spring Framework 6.2.0 through 6.2.18
  • Spring Framework 6.1.0 through 6.1.27
  • Spring Framework 5.3.0 through 5.3.48

Discovery Timeline

  • 2026-06-09 - CVE-2026-41852 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-41852

Vulnerability Analysis

The vulnerability resides in how the Spring Expression Language evaluates method invocations against the configured EvaluationContext. SpEL supports multiple evaluation modes, including restricted and read-only contexts that should prevent state-changing or non-property method calls. The evaluator fails to consistently enforce these restrictions when a target method takes zero arguments. As a result, expressions can reach methods that the security policy intended to block.

Applications that evaluate user-influenced SpEL expressions are the primary exposure point. Common patterns include @PreAuthorize and @PostAuthorize annotations, message routing expressions in Spring Integration, dynamic property resolution, and templating that delegates to SpEL. When the configured context relies on the restricted-evaluation guarantee to keep callable surface small, this flaw widens the attack surface to any reachable zero-argument method on bean properties or context variables.

Root Cause

The root cause is incomplete authorization logic [CWE-863] inside the SpEL method resolver. The check that determines whether a method invocation is permitted in a restricted or read-only context does not cover zero-argument methods. Methods such as accessors, lifecycle hooks, or any business method that takes no parameters can be invoked even when the surrounding context is configured to disallow arbitrary method calls.

Attack Vector

Exploitation requires the ability to deliver a SpEL expression to a vulnerable evaluation site. The attack vector is network-based and requires no authentication or user interaction in typical exposures. An attacker crafts an expression that references a reachable bean or context variable and chains it into a zero-argument method call. The invoked method may return sensitive data, mutate state through side effects, or trigger downstream logic. Direct remote code execution is not implied by the CVSS profile, but unintended behavior in domain logic is in scope. See the Spring Security Advisory CVE-2026-41852 for vendor technical details.

Detection Methods for CVE-2026-41852

Indicators of Compromise

  • Unexpected SpEL expression strings in HTTP request parameters, headers, or message payloads containing method invocation syntax such as T(...), .toString(), or chained no-arg accessors.
  • Application logs showing SpEL parsing or evaluation errors followed by successful invocation of non-property methods.
  • Anomalous calls to bean methods originating from request handling threads that normally only resolve simple properties.

Detection Strategies

  • Inventory all Spring Framework deployments and compare versions against the affected ranges 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, and 7.0.0–7.0.7.
  • Audit source code for use of SpelExpressionParser, StandardEvaluationContext, SimpleEvaluationContext, and annotations that accept SpEL such as @Value, @PreAuthorize, and @PostAuthorize.
  • Deploy WAF or API gateway rules that flag SpEL-like payloads in untrusted input fields.

Monitoring Recommendations

  • Enable verbose logging on SpEL evaluation paths during patch validation to capture unexpected method resolution.
  • Correlate authentication and authorization decisions with downstream method calls to detect bypass patterns.
  • Monitor application performance metrics for anomalous bean method invocation frequency that may indicate probing.

How to Mitigate CVE-2026-41852

Immediate Actions Required

  • Upgrade Spring Framework to a fixed release line published by VMware for the 5.3.x, 6.1.x, 6.2.x, and 7.0.x branches as documented in the Spring Security Advisory CVE-2026-41852.
  • Identify and review every SpEL evaluation site that consumes untrusted input and confirm whether restricted-context guarantees are part of the security model.
  • Restrict network exposure of endpoints that evaluate SpEL until patches are applied.

Patch Information

VMware has published fixed versions on the official Spring advisory page. Upgrade to a release beyond the affected ranges: later than 5.3.48 on the 5.3.x line, 6.1.27 on the 6.1.x line, 6.2.18 on the 6.2.x line, and 7.0.7 on the 7.0.x line. Refer to the Spring Security Advisory CVE-2026-41852 for the exact fixed versions and release notes.

Workarounds

  • Replace StandardEvaluationContext with a tightly scoped SimpleEvaluationContext configured with only the property accessors needed by the application.
  • Validate and sanitize any user-supplied data before it reaches a SpEL evaluation site, rejecting inputs containing method-invocation syntax such as parentheses or T( type references.
  • Apply principle of least privilege to beans exposed in evaluation contexts so that zero-argument methods do not return sensitive data or mutate state.
bash
# Configuration example: pin patched Spring Framework version in Maven
# Replace the version with the fixed release from the Spring advisory
mvn versions:set-property -Dproperty=spring-framework.version -DnewVersion=6.2.19
mvn dependency:tree | grep spring-core

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne