CVE-2026-40985
Received Received - Intake
Malicious Unified EL Expression in Spring Web Flow

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-40985
EUVD
EUVD-2026-36200
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_web_flow 4.0.0
vmware spring_web_flow From 3.0.0 (inc) to 3.0.1 (inc)
vmware spring_web_flow From 2.5.0 (inc) to 2.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40985 is a medium-severity data binding vulnerability in Spring Web Flow versions 2.5.0 to 2.5.1, 3.0.0 to 3.0.1, and 4.0.0.

The vulnerability occurs when applications explicitly configure the WebFlowELExpressionParser or its base class ELExpressionParser without enabling the useSpringBinding property or using the <binding> element in view states.

This misconfiguration allows malicious Unified EL expressions to be executed within the application.

Impact Analysis

The vulnerability can lead to unauthorized data access or manipulation by allowing attackers to execute malicious Unified EL expressions.

This could compromise the confidentiality and integrity of data handled by the affected Spring Web Flow applications.

Mitigation Strategies

To mitigate this vulnerability, affected users should upgrade Spring Web Flow to the fixed versions: 2.5.2, 3.0.2, or 4.0.1.

No additional mitigation steps are necessary beyond upgrading.

Compliance Impact

This vulnerability allows the execution of malicious Unified EL expressions, which can lead to unauthorized data access or manipulation.

Such unauthorized access or manipulation of data could potentially impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart