CVE-2026-41852

Published: Jun 9, 2026Modified: Jun 11, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Affected (4)

Products: Vmware: Spring Framework

Vmware

1 product

Spring Framework

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Framework	From 5.3.0 to 5.3.49
Vmware Spring Framework	From 6.1.0 to 6.1.28
Vmware Spring Framework	From 6.2.0 to 6.2.19
Vmware Spring Framework	From 7.0.0 to 7.0.8

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

https://spring.io/security/cve-2026-41852

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.