Security Advisory - Updated 2026-06-12 - Spring Framework
Spring Framework CVE-2026-41849, 41850, and 41851: SpEL DoS self-check
These Spring Framework CVEs affect applications that evaluate untrusted or user-controlled Spring Expression Language expressions. CVE-2026-41851 adds one specific condition: the application also caches parsed expressions. The practical impact is denial of service, not Express.js RCE.
Who is affected
| CVE | Affected versions | Fixed versions listed by Spring |
|---|---|---|
| CVE-2026-41849 | Spring Framework 5.3.0 through 5.3.48 | 5.3.49, commercial availability listed by Spring |
| CVE-2026-41850 | 7.0.0-7.0.7, 6.2.0-6.2.18, 6.1.0-6.1.27, 5.3.0-5.3.48 | 7.0.8, 6.2.19, 6.1.28, 5.3.49 where available |
| CVE-2026-41851 | 7.0.0-7.0.7, 6.2.0-6.2.18, 6.1.0-6.1.27, 5.3.0-5.3.48 | 7.0.8, 6.2.19, 6.1.28, 5.3.49 where available |
10-minute self-check
Step 1: Find Spring Framework versions
mvn dependency:tree | grep spring-expression
mvn dependency:tree | grep spring-context
./gradlew dependencies --configuration runtimeClasspath | grep spring-expression
If the application packages spring-expression, check the version against
the affected ranges. Spring Boot version alone is not enough; inspect resolved
dependencies.
Step 2: Search for SpEL evaluation points
grep -R "SpelExpressionParser\\|parseExpression\\|ExpressionParser\\|StandardEvaluationContext" src 2>/dev/null
grep -R "ConcurrentHashMap.*Expression\\|Cache.*Expression\\|parsedExpression" src 2>/dev/null This does not prove exposure. The important question is whether any of those paths receive expression text from a request body, query parameter, header, database row, template setting, or admin-controlled rule editor. For CVE-2026-41851, also check whether parsed expressions are cached by expression string or user-controlled inputs.
Step 3: Check public request paths
- Search API documentation for fields named expression, formula, rule, filter, condition, template, or selector.
- Review low-code, workflow, report builder, alert rule, and template features.
- Confirm whether non-admin users can create or edit expressions.
- Check rate limits and request timeout behavior around expression evaluation endpoints.
Safe fix path
- Upgrade Spring Framework. Use the fixed line that matches your supported branch.
- Remove untrusted SpEL input where possible. Replace user-editable expressions with allowlisted rule fields.
- Restrict expression editors. Keep SpEL authoring to trusted administrators only.
- Bound expression caches. Avoid caching untrusted expression variants without a size limit.
- Add timeouts and rate limits. Put limits around endpoints that evaluate dynamic rules.
- Watch resource graphs. Look for CPU spikes, thread exhaustion, and long request duration around expression-heavy endpoints.
Signals worth checking
- Repeated requests to rule, filter, or formula endpoints with high CPU usage.
- Application logs showing long SpEL evaluation time or request timeouts.
- Thread pool exhaustion, stuck request handlers, or autoscaling events during a small request volume.
- Heap growth tied to expression parsing or rule evaluation cache entries.
- New user-created rules shortly before availability issues.
Ping7 repair path
Ping7 can review dependency versions, SpEL usage points, public API exposure, and safe upgrade steps. Start from CVE Repair and include the Spring Framework version, Spring Boot version, and whether users can submit formulas or rules.