Spring Framework CVE-2026-41850: SpEL Algorithmic DoS Vulnerability and Fix

Vulnerability Overview Vulnerability Name: CVE-2026-41850 Vulnerability Type: Algorithmic Denial of Service via SpEL Expressions Severity: High Release Date: June 8, 2026 Affected Products Affected Product: Spring Framework Affected Versions: - 7.0.0 - 7.0.7 - 6.2.0 - 6.2.18 - 6.1.0 - 6.1.27 - 5.3.0 - 5.3.48 Conditions: Vulnerable when applications accept and evaluate untrusted or user-controlled SpEL expressions. Remediation Fixed Versions: - 7.0.x -> 7.0.8 (OSS) - 7.0.x -> 7.0.7.1 (Commercial) - 6.2.x -> 6.2.19 (OSS) - 6.2.x -> 6.2.18.1 (Commercial) - 6.1.x -> 6.1.28 (Commercial) - 5.3.x -> 5.3.49 (Commercial) Additional Information Mitigation: - Users should upgrade to the corresponding fixed versions. - The pinned version of Spring Expression Language tracks the number of operations executed during expression evaluation. - A new limit (default 10,000) can be customized. If this limit is exceeded, the application will throw a . - Developers can adjust this limit via or globally using the JVM system property or Spring property. - Exercise caution when increasing this value, as higher limits reduce the effectiveness of this mitigation against resource exhaustion. References NVD NIST CVE MITRE History 2026-06-08: Initial vulnerability report published. Reporting Vulnerabilities To report security vulnerabilities in the Spring project portfolio, please refer to the Security Policy.

Goal Reached Thanks to every supporter — we hit 100%!

Spring Framework CVE-2026-41850: SpEL Algorithmic DoS Vulnerability and Fix