CVE-2026-41852
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic.
Risk Assessment
The risk involves potential remote execution of unauthorized operations by an attacker, which could compromise system integrity, confidentiality, or availability.
Recommendation
It is recommended to immediately upgrade Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch in use.
Original NVD description (English source)
A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

