CVE Catalog

CVE-2026-41862

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

Spring Statemachine has a vulnerability in Kryo-based backends that deserialize state-machine contexts without enforcing a class allowlist. This can lead to remote code execution within the application JVM.

Risk Assessment

The organization may be exposed to remote code execution, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to the latest version of Spring Statemachine to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

Vulnerability data from NVD (NIST) · CISA KEV · EPSS