HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41850Published Modified CNA vmware

CVE-2026-41850: Spring Framework Algorithmic Denial of Service via SpEL Expressions

Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
5.3.49
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an algorithmic denial-of-service vulnerability in Spring Framework affecting applications that evaluate user-supplied Spring Expression Language (SpEL) expressions. The vulnerability is reachable over the network with no authentication required, and the CVSS vector confirms that no user interaction is needed. Successful exploitation causes excessive CPU or memory consumption during SpEL evaluation, degrading or crashing the affected application. Patched-image rebuilds at versions 5.3.49, 6.1.28, 6.2.19, and 7.0.8 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41850 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Spring Framework as a transitive dependency. HarborGuard ingests from upstream advisory feeds continuously, so newly scanned and previously indexed images are both eligible for matching.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting it against each environment's compliance policy to determine urgency and routing. Triage findings are surfaced to the appropriate team inbox inside each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix version (5.3.49, 6.1.28, 6.2.19, or 7.0.8 depending on the branch in use) becomes available on HarborGuard for any image found to contain an affected Spring Framework version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the application over the network; any internet- or intranet-exposed endpoint that processes user-supplied SpEL expressions is in scope.

  • AuthenticationNot required

    No credentials or session token are needed; the attacker can submit a crafted expression as an unauthenticated request.

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the application without involving another person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or knowledge of the target environment beyond the exposed endpoint.

Blast Radius

  • The affected service exhausts CPU or memory during SpEL expression evaluation, causing severe response-time degradation or a full application crash.
  • Repeated or sustained requests amplify resource exhaustion, potentially taking the service offline for all legitimate users.
  • Container restarts triggered by the crash loop can cascade to dependent services if readiness probes or circuit breakers are not configured.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41850 is active across all environments, matching against any image that packages Spring Framework 5.3.0 through 5.3.48, 6.1.0 through 6.1.27, 6.2.0 through 6.2.18, or 7.0.0 through 7.0.7. A patched rebuild targeting the correct fix branch (5.3.49, 6.1.28, 6.2.19, or 7.0.8) is available as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test pass, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not permitted by compliance policy, HarborGuard surfaces the finding with fix-version detail so engineers can apply the upgrade manually. As a compensating control while patching is in progress, teams should consider placing a WAF rule or input-validation layer in front of any endpoint that accepts and evaluates user-supplied SpEL expressions to reject or sanitize malformed input before it reaches the framework.

See how HarborGuard automates this

Fix available

5.3.496.1.286.2.197.0.8
Affected packages
  • Spring / Spring Framework
    < 7.0.8 (from 7.0.0) · < 6.2.19 (from 6.2.0) · < 6.1.28 (from 6.1.0) · < 5.3.49 (from 5.3.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References