HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41855Published Modified CNA vmware

CVE-2026-41855: Spring Framework Unsafe Deserialization via Jackson JMS Converters

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
5.3.49
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMessageConverter) allows an attacker delivering a crafted JMS message in an untrusted broker environment to trigger arbitrary class instantiation through Jackson gadget chains. The vulnerability is reachable over the network and requires no authentication, though exploitation involves elevated complexity due to the need for a suitable gadget class on the classpath. Successful exploitation gives an attacker full read, write, and availability impact on the affected service, up to and including remote code execution. Patched-image rebuilds at versions 5.3.49, 6.1.28, 6.2.19, and 7.0.8 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Spring Framework as a transitive dependency.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and is capable of weighting that score against each environment's compliance policy to determine urgency, then routing the alert to the appropriate team inbox within the customer org.

Available
Patch

A patched-image rebuild targeting the applicable fix versions (5.3.49, 6.1.28, 6.2.19, or 7.0.8 depending on the affected branch) is available for every image HarborGuard identifies as vulnerable. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against the affected workload automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver a crafted JMS message to the target service over the network via a reachable JMS broker endpoint.

  • AuthenticationNot required

    No credentials are required; an unauthenticated attacker with access to the JMS broker can submit malicious messages.

  • Victim interactionNot required

    No user interaction is needed; the vulnerable code path executes automatically when the application processes an incoming JMS message.

  • Attack complexityDetail

    Exploitation is non-trivial: the attacker must control or compromise the JMS broker and identify a usable Jackson gadget chain present on the target application's classpath.

Blast Radius

  • Reads any data accessible to the application process, including configuration secrets, session tokens, and database credentials.
  • Modifies or deletes application data and filesystem content writable by the process.
  • Crashes or hangs the affected service, causing denial of service for dependent consumers.
  • Executes arbitrary code in the context of the application container if a suitable gadget class is present on the classpath, enabling full host compromise.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all scanned images at ingestion time, with results surfaced immediately for any image bundling an affected Spring Framework version. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate patched branch (5.3.49, 6.1.28, 6.2.19, or 7.0.8), runs a regression test run against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with CVSS score, affected image list, and remediation guidance attached. As a compensating control while a patched image is being prepared, customers can apply network policy to restrict which services are permitted to connect to JMS brokers, and can configure JMS consumer beans to use a type-safe message converter that does not permit polymorphic deserialization.

See how HarborGuard automates this

Fix available

5.3.496.1.286.2.197.0.8
Affected packages
  • Spring / Spring Framework
    < 7.0.8 (from 7.0.0) · < 6.2.19 (from 6.2.0) · < 6.1.28 (from 6.1.0) · < 5.3.49 (from 5.3.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References