CVE-2026-41862
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Spring Statemachine has a vulnerability in Kryo-based backends that deserialize state-machine contexts without enforcing a class allowlist. This can lead to remote code execution within the application JVM.
Risk Assessment
The organization may be exposed to remote code execution, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to upgrade to the latest version of Spring Statemachine to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

