ZeroPath at Black Hat USA 2026

Spring Framework CVE-2026-41850: Brief Summary of the SpEL Algorithmic Denial of Service Vulnerability

A brief summary of CVE-2026-41850, a high severity algorithmic denial of service vulnerability in Spring Framework's SpEL evaluation engine affecting four major version branches. We cover the technical root cause, affected versions, mitigation guidance, and the broader pattern of recurring SpEL DoS issues.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

Spring Framework CVE-2026-41850: Brief Summary of the SpEL Algorithmic Denial of Service Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A crafted Spring Expression Language (SpEL) input can now bring down a Spring Framework application without authentication, without user interaction, and with minimal effort on the attacker's part. CVE-2026-41850 is an algorithmic denial of service vulnerability scored at CVSS 7.5 (HIGH) that affects four major Spring Framework version branches, spanning nearly the entire active and legacy support window.

What makes this particularly noteworthy is the pattern it continues. This is the third publicly disclosed SpEL DoS vulnerability in Spring Framework, following CVE-2023-20861 and CVE-2024-38808, and it arrives alongside what Broadcom calls the "largest set" of Spring security updates in the framework's 23 year history. The severity has escalated with each iteration: from 5.3 to 4.3 to now 7.5, reflecting progressively more impactful algorithmic exploitation paths in the SpEL engine.

Technical Information

Root Cause: Algorithmic Complexity in SpEL Evaluation

CVE-2026-41850 is classified under CWE-407 (Inefficient Algorithmic Complexity) by NVD and additionally CWE-770 (Allocation of Resources Without Limits or Throttling) per the Spring advisory. CWE-407 describes a weakness where "an algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached." CWE-407 sits within a well studied family of algorithmic DoS weaknesses; it is a child of CWE-405 (Asymmetric Resource Consumption) and a parent of CWE-1333 (Inefficient Regular Expression Complexity).

The Spring Expression Language is a powerful runtime expression evaluation engine used throughout the Spring Framework. When an application accepts and evaluates untrusted or user controlled SpEL expressions, an attacker can supply a specially crafted expression that forces the SpEL evaluation engine into a worst case computational path. In algorithmic complexity attacks, this typically involves exploiting hash collision worst cases, recursive nesting, or data structure operations that degrade from average case O(1) or O(n) to worst case O(n^2) or worse. The result is that a relatively small, carefully constructed input consumes disproportionate CPU cycles or memory during expression evaluation.

CVSS Breakdown

The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, yielding a base score of 7.5 (HIGH):

CVSS ComponentValueSignificance
Attack Vector (AV)NetworkExploitable remotely over any network path
Attack Complexity (AC)LowNo specialized conditions required
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo victim action required
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)NoneNo information disclosure
Integrity (I)NoneNo data modification
Availability (A)HighComplete denial of service to the application

The key escalation from the prior CVE-2024-38808 (CVSS 4.3, vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) is that CVE-2026-41850 requires no user interaction (UI:N versus UI:R) and causes high availability impact (A:H versus A:L), nearly doubling the CVSS score.

Attack Flow

The exploitation follows a straightforward path:

  1. Identify a SpEL evaluation endpoint: The attacker locates a Spring Framework endpoint that accepts user input and passes it to the SpEL evaluation engine. Common scenarios include web endpoints that evaluate SpEL expressions from request parameters or headers, rule engines or dynamic configuration systems that accept SpEL from external sources, and data filtering or query mechanisms that incorporate user supplied SpEL expressions.

  2. Craft a malicious SpEL expression: The attacker constructs a SpEL expression designed to trigger the worst case algorithmic complexity in the evaluation engine. The exact structure of the crafted expression has not been publicly disclosed, consistent with Spring's responsible disclosure practice.

  3. Submit the expression over the network: Because the attack vector is network based (AV:N), the attacker sends the crafted expression via HTTP. No authentication is required (PR:N) and no user interaction is needed (UI:N), meaning the attack can be fully automated.

  4. Resource exhaustion occurs: The SpEL engine processes the expression and enters an algorithmically expensive computation path, consuming excessive CPU and/or memory. This leads to application degradation or complete unavailability.

The attack requires only a single HTTP request containing the crafted SpEL expression, making it suitable for mass scanning and automated exploitation campaigns.

Comparison with Prior SpEL DoS Vulnerabilities

The progression across three SpEL DoS CVEs reveals a persistent architectural weakness:

CVEYearCVSSCWEAffected VersionsKey Difference
CVE-2023-2086120235.3CWE-7705.3.x, 6.0.xFound via fuzzing by Code Intelligence; user interaction required
CVE-2024-3880820244.3CWE-7705.3.0 through 5.3.38User interaction required; limited availability impact
CVE-2026-4185020267.5CWE-407, CWE-7705.3.0 through 7.0.7No user interaction; high availability impact; broad version range

Each successive CVE demonstrates that the SpEL engine's resource consumption remains insufficiently bounded despite incremental patches. The escalating severity suggests that point fixes alone are insufficient and that the SpEL engine may require architectural hardening, such as mandatory resource limits or sandboxed evaluation contexts for untrusted input.

Mitigation

The official Spring advisory prescribes a single mitigation: upgrade to the corresponding fixed version. The advisory explicitly states: "No further mitigation steps are necessary" after upgrading. There are no documented workarounds for CVE-2026-41850.

For open source users:

  • Upgrade Spring Framework 7.0.x to 7.0.8
  • Upgrade Spring Framework 6.2.x to 6.2.19

For commercial and enterprise users (via Tanzu Spring Enterprise):

  • Apply patch 7.0.7.1 for 7.0.x deployments
  • Apply patch 6.2.18.1 for 6.2.x deployments
  • Apply patch 6.1.28 for 6.1.x deployments
  • Apply patch 5.3.49 for 5.3.x deployments

Broadcom provides Day 0 access to validated CVE patch releases through the Tanzu Spring Enterprise Repository, which isolates security fixes from other changes and offers SLSA level 3 validated software supply chain builds covering the full transitive dependency graph.

For Maven based projects, the upgrade looks like this:

<dependencyManagement> <dependencies> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-framework-bom</artifactId> <version>7.0.8</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>

A note on historical workarounds: The prior CVE-2024-38808 recommended evaluating user supplied expressions using a SimpleEvaluationContext in read only mode, which strictly limits the capabilities available to the SpEL engine. Organizations that cannot immediately upgrade may consider this approach as a risk reduction measure, though its effectiveness against CVE-2026-41850 specifically is not confirmed by the official advisory.

General CWE-407 mitigation best practices from MITRE include using constant time or logarithmic operations for processing untrusted data, imposing strict size and recursion limits on expression evaluation, conducting formal complexity analyses during code review, and rate limiting expression evaluation requests from untrusted sources.

Affected Systems and Versions

CVE-2026-41850 affects four major Spring Framework version branches:

BranchAffected RangeOpen Source FixCommercial Fix (Tanzu)
7.0.x7.0.0 through 7.0.77.0.87.0.7.1
6.2.x6.2.0 through 6.2.186.2.196.2.18.1
6.1.x6.1.0 through 6.1.27N/A (unsupported for OSS)6.1.28
5.3.x5.3.0 through 5.3.48N/A (unsupported for OSS)5.3.49

The advisory also notes that "Versions that are no longer supported are also affected." Organizations on the 6.1.x and 5.3.x branches cannot obtain open source patches and must either migrate to a supported branch or obtain commercial patches through Broadcom's Tanzu Spring Enterprise offering.

Any application that evaluates user supplied SpEL expressions is vulnerable, regardless of the deployment model. The vulnerability is exploitable over any network path without authentication.

Vendor Security History

The Spring Framework has experienced a steady cadence of security vulnerabilities, particularly in its web stack and expression evaluation components. In 2026 alone, multiple CVEs have been disclosed:

CVETypeCVSSDate
CVE-2026-22732Spring Security cache poisoningNot specifiedMarch 2026
CVE-2026-22735Stream corruptionNot specifiedMarch 2026
CVE-2026-22737Path bypass / info disclosureNot specifiedMarch 2026
CVE-2026-41850SpEL Algorithmic DoS7.5June 2026
CVE-2026-41851Denial of ServiceNot specifiedJune 2026

The Spring advisory for April 2026 described "3 Web Stack DoS and Cache Poisoning CVEs" in a single batch. Broadcom reported a 1700% increase in monthly security advisories from March to April 2026, a surge the company attributes in part to AI assisted vulnerability discovery by both researchers and its own engineering team.

Broadcom has responded with several initiatives: AI assisted security analysis using frontier model based scanning, Project Glasswing (an Anthropic based LLM initiative for proactive defense), and SLSA Level 3 supply chain validation through the Tanzu Spring Enterprise Repository. Purnima Padmanabhan, VP and GM of Broadcom's Tanzu Division, stated that Broadcom's position as "steward and sole committer" means the company can "better secure it at the source for everyone who depends on it."

The broader Spring ecosystem has also seen significant security research in 2026, including CVE-2026-40478, a critical Thymeleaf sandbox bypass discovered by Endor Labs that allows arbitrary code execution in Spring applications, demonstrating that expression based vulnerabilities in the Spring ecosystem can escalate beyond DoS to remote code execution.

The researcher credited with discovering and reporting CVE-2026-41850 is @wo1enca1ca1.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization