A denial-of-service vulnerability in Spring Framework’s Expression Language (SpEL) evaluation, tracked as CVE-2026-41851, allows attackers to trigger unbounded cache growth by supplying crafted SpEL expressions. Affects Spring Framework 5.3.x, 6.1.x, 6.2.x, and 7.0.x — the most widely used Java application framework globally.
What Is the Vulnerability?
CVE-2026-41851 is an uncontrolled resource consumption vulnerability (CWE-770) in Spring Expression Language (SpEL). Applications that accept user-supplied SpEL expressions may trigger unbounded cache growth during evaluation, leading to memory exhaustion and denial of service. Spring is deployed in millions of Java applications — any application that evaluates SpEL expressions from user input is affected.
- CVSS v3.1 Score: 5.3 (Medium)
- Fixed in: 5.3.49, 6.1.28, 6.2.19, 7.0.8
Which Versions Are Affected?
- Spring Framework 5.3.0 through 5.3.48
- Spring Framework 6.1.0 through 6.1.27
- Spring Framework 6.2.0 through 6.2.18
- Spring Framework 7.0.0 through 7.0.7
What Is the Fix?
Update Spring Framework to the latest version for your release train. Audit applications for user-supplied SpEL expression evaluation — restrict SpEL usage to trusted input only.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 10, 2026.
