CVE Catalog

CVE-2026-41855

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

In an untrusted JMS environment, MappingJackson2MessageConverter and JacksonJsonMessageConverter in Spring Framework allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization.

Risk Assessment

An attacker can remotely execute arbitrary code or perform other unauthorized operations on the system, posing a serious threat to data confidentiality, integrity, and availability.

Recommendation

Immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used, and avoid using untrusted JMS sources.

Original NVD description (English source)

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS