CVE-2026-41855
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
In an untrusted JMS environment, MappingJackson2MessageConverter and JacksonJsonMessageConverter in Spring Framework allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization.
Risk Assessment
An attacker can remotely execute arbitrary code or perform other unauthorized operations on the system, posing a serious threat to data confidentiality, integrity, and availability.
Recommendation
Immediately update Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch used, and avoid using untrusted JMS sources.
Original NVD description (English source)
In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

