CVE-2026-40985
Awaiting Analysis Awaiting Analysis - Queue

Malicious Unified EL Expression in Spring Web Flow

Vulnerability report for CVE-2026-40985, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-23

Assigner: VMware

Description

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-23
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_web_flow 4.0.0
vmware spring_web_flow From 3.0.0 (inc) to 3.0.1 (inc)
vmware spring_web_flow From 2.5.0 (inc) to 2.5.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40985 is a medium-severity data binding vulnerability in Spring Web Flow versions 2.5.0 to 2.5.1, 3.0.0 to 3.0.1, and 4.0.0.

The vulnerability occurs when applications explicitly configure the WebFlowELExpressionParser or its base class ELExpressionParser without enabling the useSpringBinding property or using the <binding> element in view states.

This misconfiguration allows malicious Unified EL expressions to be executed within the application.

Impact Analysis

The vulnerability can lead to unauthorized data access or manipulation by allowing attackers to execute malicious Unified EL expressions.

This could compromise the confidentiality and integrity of data handled by the affected Spring Web Flow applications.

Mitigation Strategies

To mitigate this vulnerability, affected users should upgrade Spring Web Flow to the fixed versions: 2.5.2, 3.0.2, or 4.0.1.

No additional mitigation steps are necessary beyond upgrading.

Compliance Impact

This vulnerability allows the execution of malicious Unified EL expressions, which can lead to unauthorized data access or manipulation.

Such unauthorized access or manipulation of data could potentially impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart