CVE-2026-41851
Received Received - Intake
Denial of Service in Spring Framework via SpEL Cache Growth

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41851
EUVD
EUVD-2026-35339
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41851 is a medium-severity vulnerability in the Spring Framework related to the Spring Expression Language (SpEL). It occurs when applications accept user-supplied or untrusted SpEL expressions that are parsed and cached. If a large number of such expressions are evaluated, the cache can grow without bounds, leading to excessive memory consumption.

This unbounded cache growth can cause memory exhaustion, which may result in a Denial of Service (DoS) attack, making the affected system unavailable or unstable.

Impact Analysis

This vulnerability can impact you by causing your application or system to experience a Denial of Service (DoS). Specifically, if your application accepts user-controlled SpEL expressions and processes a very high volume of them, the unbounded cache growth can exhaust system memory.

Memory exhaustion can lead to system downtime, degraded performance, or crashes, which can disrupt service availability and affect users relying on your application.

Mitigation Strategies

The recommended mitigation is to upgrade to the fixed versions of the Spring Framework.

  • Upgrade to Spring Framework 7.0.8 (OSS) or 7.0.7.1 (Commercial).
  • Upgrade to Spring Framework 6.2.19 (OSS) or 6.2.18.1 (Commercial).
  • Upgrade to Spring Framework 6.1.28 (Commercial).
  • Upgrade to Spring Framework 5.3.49 (Commercial).

No additional mitigation steps are required beyond upgrading.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart