Security Advisory - Updated 2026-06-12 - Spring Framework

Spring Framework CVE-2026-41849, 41850, and 41851: SpEL DoS self-check

These Spring Framework CVEs affect applications that evaluate untrusted or user-controlled Spring Expression Language expressions. CVE-2026-41851 adds one specific condition: the application also caches parsed expressions. The practical impact is denial of service, not Express.js RCE.

Key condition: A Spring application is exposed only when it accepts user-controlled SpEL and evaluates it. For CVE-2026-41851, unbounded cache growth requires parsed expressions to be cached. Most applications should still update, but the exposure check starts with real expression input paths.

Who is affected

CVEAffected versionsFixed versions listed by Spring
CVE-2026-41849Spring Framework 5.3.0 through 5.3.485.3.49, commercial availability listed by Spring
CVE-2026-418507.0.0-7.0.7, 6.2.0-6.2.18, 6.1.0-6.1.27, 5.3.0-5.3.487.0.8, 6.2.19, 6.1.28, 5.3.49 where available
CVE-2026-418517.0.0-7.0.7, 6.2.0-6.2.18, 6.1.0-6.1.27, 5.3.0-5.3.487.0.8, 6.2.19, 6.1.28, 5.3.49 where available

10-minute self-check

Step 1: Find Spring Framework versions

mvn dependency:tree | grep spring-expression
mvn dependency:tree | grep spring-context
./gradlew dependencies --configuration runtimeClasspath | grep spring-expression

If the application packages spring-expression, check the version against the affected ranges. Spring Boot version alone is not enough; inspect resolved dependencies.

Step 2: Search for SpEL evaluation points

grep -R "SpelExpressionParser\\|parseExpression\\|ExpressionParser\\|StandardEvaluationContext" src 2>/dev/null
grep -R "ConcurrentHashMap.*Expression\\|Cache.*Expression\\|parsedExpression" src 2>/dev/null

This does not prove exposure. The important question is whether any of those paths receive expression text from a request body, query parameter, header, database row, template setting, or admin-controlled rule editor. For CVE-2026-41851, also check whether parsed expressions are cached by expression string or user-controlled inputs.

Step 3: Check public request paths

  • Search API documentation for fields named expression, formula, rule, filter, condition, template, or selector.
  • Review low-code, workflow, report builder, alert rule, and template features.
  • Confirm whether non-admin users can create or edit expressions.
  • Check rate limits and request timeout behavior around expression evaluation endpoints.

Safe fix path

  1. Upgrade Spring Framework. Use the fixed line that matches your supported branch.
  2. Remove untrusted SpEL input where possible. Replace user-editable expressions with allowlisted rule fields.
  3. Restrict expression editors. Keep SpEL authoring to trusted administrators only.
  4. Bound expression caches. Avoid caching untrusted expression variants without a size limit.
  5. Add timeouts and rate limits. Put limits around endpoints that evaluate dynamic rules.
  6. Watch resource graphs. Look for CPU spikes, thread exhaustion, and long request duration around expression-heavy endpoints.

Signals worth checking

  • Repeated requests to rule, filter, or formula endpoints with high CPU usage.
  • Application logs showing long SpEL evaluation time or request timeouts.
  • Thread pool exhaustion, stuck request handlers, or autoscaling events during a small request volume.
  • Heap growth tied to expression parsing or rule evaluation cache entries.
  • New user-created rules shortly before availability issues.

Ping7 repair path

Ping7 can review dependency versions, SpEL usage points, public API exposure, and safe upgrade steps. Start from CVE Repair and include the Spring Framework version, Spring Boot version, and whether users can submit formulas or rules.

References