How is CVE-2026-41849 exploited?

Network reachability (required): The vulnerable SpEL evaluation endpoint must be reachable over the network; any internet- or intranet-exposed application accepting SpEL input is in scope. Authentication (not-required): No credentials or session token are needed; an anonymous request carrying a crafted SpEL expression is sufficient to trigger the overflow. Victim interaction (not-required): No action from a user or administrator is required; the attacker sends the payload directly to the service. Attack complexity (info): Exploit complexity is low; the attack is reliable and requires no specific race conditions, memory layout knowledge, or environmental pre-conditions.

What is the impact of CVE-2026-41849?

Crashes or hangs the Spring application process, making the service unavailable to legitimate users. Sustained requests with crafted expressions can exhaust CPU or memory on the host, potentially destabilizing co-located services in the same container or pod. No confidential data is read and no stored data is modified; impact is limited entirely to availability.

Back to search

HIGHCVE-2026-41849Published 2026-06-09Modified 2026-06-09CNA vmware

CVE-2026-41849: Spring Framework Denial of Service via Integer Overflow in SpEL Expressions

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Framework 5.3.0 through 5.3.48.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 5.3.49
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow vulnerability exists in the Spring Expression Language (SpEL) evaluation logic within Spring Framework versions 5.3.0 through 5.3.48. The flaw is reachable over the network with no authentication required, making any internet-exposed application that evaluates user-supplied SpEL expressions a target. Successful exploitation causes excessive resource consumption, crashing or hanging the affected service and producing a denial of service. A patched-image rebuild at Spring Framework 5.3.49 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-41849 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle Spring Framework, including those assembled from internal base images.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector, and triage logic is capable of weighting that score against each environment's compliance policy to adjust urgency. Routed findings can be directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Spring Framework 5.3.49 is available through HarborGuard for any image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite against the new image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable SpEL evaluation endpoint must be reachable over the network; any internet- or intranet-exposed application accepting SpEL input is in scope.
AuthenticationNot required
No credentials or session token are needed; an anonymous request carrying a crafted SpEL expression is sufficient to trigger the overflow.
Victim interactionNot required
No action from a user or administrator is required; the attacker sends the payload directly to the service.
Attack complexityDetail
Exploit complexity is low; the attack is reliable and requires no specific race conditions, memory layout knowledge, or environmental pre-conditions.

Blast Radius

Crashes or hangs the Spring application process, making the service unavailable to legitimate users.
Sustained requests with crafted expressions can exhaust CPU or memory on the host, potentially destabilizing co-located services in the same container or pod.
No confidential data is read and no stored data is modified; impact is limited entirely to availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41849 activates as soon as the advisory is ingested, flagging any image that bundles Spring Framework 5.3.0 through 5.3.48. A rebuild at the fixed version 5.3.49 is available for affected images. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test pass, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the flagged finding and proposed rebuild are surfaced in the customer dashboard for engineer review. Because this is a network-exploitable, zero-authentication denial-of-service, upgrading to 5.3.49 is the primary remediation; as a compensating control before a rebuild is applied, network policy rules that restrict which services are permitted to accept arbitrary SpEL input can reduce the exposed attack surface.

See how HarborGuard automates this

Fix available

5.3.49

Affected packages

Spring / Spring Framework
< 5.3.49 (from 5.3.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available