Spring Security Advisories

RSS feed

CVE-2026-41849: Spring Framework Denial of Service via Integer Overflow in SpEL Expressions

HIGH | JUNE 08, 2026 | CVE-2026-41849

Description

An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS).

Specifically, an application is vulnerable when the following condition is met:

  • The application accepts and evaluates untrusted or user-controlled SpEL expressions.

Affected Spring Products and Versions

Spring Framework:

  • 5.3.0 - 5.3.48

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
5.3.x 5.3.49 Commercial

No further mitigation steps are necessary.

Credit

This issue was discovered internally.

References

History

  • 2026-06-08: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all