CVE-2026-41855 Overview
CVE-2026-41855 is an insecure deserialization vulnerability in the Spring Framework JMS support. The flaw affects org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter. In untrusted JMS environments, both converters allow arbitrary class instantiation during message deserialization. Attackers can leverage gadget classes available on the classpath to perform unauthorized actions. The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. The issue impacts Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
Critical Impact
Attackers with access to an untrusted JMS broker can trigger gadget chain deserialization, leading to arbitrary code execution and full compromise of confidentiality, integrity, and availability.
Affected Products
- Spring Framework 7.0.0 through 7.0.7
- Spring Framework 6.2.0 through 6.2.18, and 6.1.0 through 6.1.27
- Spring Framework 5.3.0 through 5.3.48
Discovery Timeline
- 2026-06-09 - CVE-2026-41855 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-41855
Vulnerability Analysis
The vulnerability resides in two Spring JMS message converters that use Jackson to deserialize JSON payloads into Java objects. Both MappingJackson2MessageConverter and JacksonJsonMessageConverter derive the target Java type from message metadata supplied by the JMS broker. When the broker is untrusted, an attacker controls the type hint and selects arbitrary classes for instantiation. Jackson then constructs objects of these classes, invoking constructors, setters, and other deserialization callbacks. Gadget classes present on the application classpath can chain these callbacks into unintended behavior, including remote code execution.
Root Cause
The converters trust the type information embedded in inbound JMS messages without enforcing an allowlist of permitted target classes. This unrestricted polymorphic deserialization matches the [CWE-502] pattern, where attacker-controlled class names drive object construction. Applications that consume JMS messages from brokers outside their security boundary inherit this trust assumption by default.
Attack Vector
An attacker who can publish messages to a JMS destination consumed by a vulnerable Spring application crafts a JSON payload referencing a gadget class. The Spring converter resolves the class name, instantiates the object, and populates its fields from the JSON body. Depending on the gadgets present, the chain can execute commands, read files, or trigger outbound network connections. Exploitation requires network access to the broker and knowledge of available gadget classes, which raises attack complexity but does not require authentication or user interaction.
No public proof-of-concept code is currently available. Refer to the Spring Security Advisory CVE-2026-41855 for technical details.
Detection Methods for CVE-2026-41855
Indicators of Compromise
- JMS messages containing unexpected _typeId headers or Jackson type identifiers referencing classes outside the application domain.
- Java processes spawning child processes such as bash, sh, cmd.exe, or powershell.exe shortly after consuming JMS traffic.
- Outbound network connections from JMS consumer JVMs to unfamiliar destinations following message processing.
Detection Strategies
- Inspect application logs for ClassNotFoundException or successful instantiation events tied to MappingJackson2MessageConverter or JacksonJsonMessageConverter with unusual class names.
- Enable Jackson deserialization logging and alert on type identifiers that resolve to classes in known gadget libraries such as commons-collections, c3p0, or spring-aop.
- Hunt for anomalous behavior from JVM processes hosting Spring JMS listeners, including new file writes, configuration changes, or lateral movement attempts.
Monitoring Recommendations
- Forward JMS broker access logs and Spring application logs to a centralized SIEM for correlation across message producers and consumers.
- Baseline expected message types per JMS destination and alert when payloads reference unknown Java classes.
- Monitor for runtime loading of reflective or scripting classes such as javax.script.ScriptEngineManager inside JMS consumer processes.
How to Mitigate CVE-2026-41855
Immediate Actions Required
- Upgrade Spring Framework to the patched releases announced in the Spring Security Advisory CVE-2026-41855.
- Inventory all applications using MappingJackson2MessageConverter or JacksonJsonMessageConverter and confirm whether they consume messages from untrusted brokers.
- Restrict network access to JMS brokers so only authorized producers can publish messages.
Patch Information
Pivotal/Spring has published fixed versions through the official advisory. Upgrade Spring Framework 7.0.x, 6.2.x, 6.1.x, and 5.3.x branches to the versions listed in the Spring Security Advisory CVE-2026-41855. Applications consuming the framework transitively through Spring Boot should also update to the corresponding Boot release.
Workarounds
- Configure the converter with an explicit setTypeIdMappings allowlist that maps message type identifiers to a fixed set of safe classes.
- Replace polymorphic JSON conversion with a schema-bound converter that deserializes into a single known target type.
- Authenticate and authorize all JMS producers, and isolate consumers from brokers exposed to untrusted networks.
# Example: enforce an explicit type ID mapping in Spring configuration
# Only listed classes can be instantiated by the converter
converter.setTypeIdPropertyName("_type");
converter.setTypeIdMappings(Map.of(
"order", com.example.Order.class,
"invoice", com.example.Invoice.class
));
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
