CVE-2026-41855
Received Received - Intake
Deserialization Vulnerability in Spring Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41855
EUVD
EUVD-2026-35344
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41855 is a security vulnerability in the Spring Framework related to unsafe deserialization in an untrusted JMS environment.

Specifically, the classes MappingJackson2MessageConverter and JacksonJsonMessageConverter allow arbitrary class instantiation via gadget class deserialization, which can lead to unauthorized actions.

This means that when these converters deserialize messages from untrusted sources, attackers can exploit this to instantiate unexpected classes and potentially execute malicious code.

Impact Analysis

This vulnerability can lead to unauthorized actions in your system by allowing attackers to instantiate arbitrary classes through deserialization.

Such unauthorized actions may include remote code execution, data manipulation, or other malicious behaviors depending on the gadget classes available in the environment.

The impact is significant especially in untrusted JMS environments where message sources cannot be fully trusted.

Mitigation Strategies

To mitigate this vulnerability in an untrusted JMS environment, you should upgrade to the fixed versions of the Spring Framework that address this issue.

Additionally, restrict deserialization to trusted packages by using the new setTrustedPackages method provided in the updated converters.

If your JMS environment is trusted, no mitigation is required.

Compliance Impact

The vulnerability allows arbitrary class instantiation and unauthorized actions via gadget class deserialization in untrusted JMS environments. This can lead to unauthorized access or manipulation of sensitive data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding personal and health information.

To mitigate this risk and maintain compliance, users should upgrade to fixed versions of the Spring Framework and restrict deserialization to trusted packages using the new setTrustedPackages method.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart