Introduction
A crafted Spring Expression Language (SpEL) input can now bring down a Spring Framework application without authentication, without user interaction, and with minimal effort on the attacker's part. CVE-2026-41850 is an algorithmic denial of service vulnerability scored at CVSS 7.5 (HIGH) that affects four major Spring Framework version branches, spanning nearly the entire active and legacy support window.
What makes this particularly noteworthy is the pattern it continues. This is the third publicly disclosed SpEL DoS vulnerability in Spring Framework, following CVE-2023-20861 and CVE-2024-38808, and it arrives alongside what Broadcom calls the "largest set" of Spring security updates in the framework's 23 year history. The severity has escalated with each iteration: from 5.3 to 4.3 to now 7.5, reflecting progressively more impactful algorithmic exploitation paths in the SpEL engine.
Technical Information
Root Cause: Algorithmic Complexity in SpEL Evaluation
CVE-2026-41850 is classified under CWE-407 (Inefficient Algorithmic Complexity) by NVD and additionally CWE-770 (Allocation of Resources Without Limits or Throttling) per the Spring advisory. CWE-407 describes a weakness where "an algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached." CWE-407 sits within a well studied family of algorithmic DoS weaknesses; it is a child of CWE-405 (Asymmetric Resource Consumption) and a parent of CWE-1333 (Inefficient Regular Expression Complexity).
The Spring Expression Language is a powerful runtime expression evaluation engine used throughout the Spring Framework. When an application accepts and evaluates untrusted or user controlled SpEL expressions, an attacker can supply a specially crafted expression that forces the SpEL evaluation engine into a worst case computational path. In algorithmic complexity attacks, this typically involves exploiting hash collision worst cases, recursive nesting, or data structure operations that degrade from average case O(1) or O(n) to worst case O(n^2) or worse. The result is that a relatively small, carefully constructed input consumes disproportionate CPU cycles or memory during expression evaluation.
CVSS Breakdown
The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, yielding a base score of 7.5 (HIGH):
| CVSS Component | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over any network path |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Unchanged | Impact confined to the vulnerable component |
| Confidentiality (C) | None | No information disclosure |
| Integrity (I) | None | No data modification |
| Availability (A) | High | Complete denial of service to the application |
The key escalation from the prior CVE-2024-38808 (CVSS 4.3, vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) is that CVE-2026-41850 requires no user interaction (UI:N versus UI:R) and causes high availability impact (A:H versus A:L), nearly doubling the CVSS score.
Attack Flow
The exploitation follows a straightforward path:
-
Identify a SpEL evaluation endpoint: The attacker locates a Spring Framework endpoint that accepts user input and passes it to the SpEL evaluation engine. Common scenarios include web endpoints that evaluate SpEL expressions from request parameters or headers, rule engines or dynamic configuration systems that accept SpEL from external sources, and data filtering or query mechanisms that incorporate user supplied SpEL expressions.
-
Craft a malicious SpEL expression: The attacker constructs a SpEL expression designed to trigger the worst case algorithmic complexity in the evaluation engine. The exact structure of the crafted expression has not been publicly disclosed, consistent with Spring's responsible disclosure practice.
-
Submit the expression over the network: Because the attack vector is network based (AV:N), the attacker sends the crafted expression via HTTP. No authentication is required (PR:N) and no user interaction is needed (UI:N), meaning the attack can be fully automated.
-
Resource exhaustion occurs: The SpEL engine processes the expression and enters an algorithmically expensive computation path, consuming excessive CPU and/or memory. This leads to application degradation or complete unavailability.
The attack requires only a single HTTP request containing the crafted SpEL expression, making it suitable for mass scanning and automated exploitation campaigns.
Comparison with Prior SpEL DoS Vulnerabilities
The progression across three SpEL DoS CVEs reveals a persistent architectural weakness:
| CVE | Year | CVSS | CWE | Affected Versions | Key Difference |
|---|---|---|---|---|---|
| CVE-2023-20861 | 2023 | 5.3 | CWE-770 | 5.3.x, 6.0.x | Found via fuzzing by Code Intelligence; user interaction required |
| CVE-2024-38808 | 2024 | 4.3 | CWE-770 | 5.3.0 through 5.3.38 | User interaction required; limited availability impact |
| CVE-2026-41850 | 2026 | 7.5 | CWE-407, CWE-770 | 5.3.0 through 7.0.7 | No user interaction; high availability impact; broad version range |
Each successive CVE demonstrates that the SpEL engine's resource consumption remains insufficiently bounded despite incremental patches. The escalating severity suggests that point fixes alone are insufficient and that the SpEL engine may require architectural hardening, such as mandatory resource limits or sandboxed evaluation contexts for untrusted input.
Mitigation
The official Spring advisory prescribes a single mitigation: upgrade to the corresponding fixed version. The advisory explicitly states: "No further mitigation steps are necessary" after upgrading. There are no documented workarounds for CVE-2026-41850.
For open source users:
- Upgrade Spring Framework 7.0.x to 7.0.8
- Upgrade Spring Framework 6.2.x to 6.2.19
For commercial and enterprise users (via Tanzu Spring Enterprise):
- Apply patch 7.0.7.1 for 7.0.x deployments
- Apply patch 6.2.18.1 for 6.2.x deployments
- Apply patch 6.1.28 for 6.1.x deployments
- Apply patch 5.3.49 for 5.3.x deployments
Broadcom provides Day 0 access to validated CVE patch releases through the Tanzu Spring Enterprise Repository, which isolates security fixes from other changes and offers SLSA level 3 validated software supply chain builds covering the full transitive dependency graph.
For Maven based projects, the upgrade looks like this:
<dependencyManagement> <dependencies> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-framework-bom</artifactId> <version>7.0.8</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
A note on historical workarounds: The prior CVE-2024-38808 recommended evaluating user supplied expressions using a SimpleEvaluationContext in read only mode, which strictly limits the capabilities available to the SpEL engine. Organizations that cannot immediately upgrade may consider this approach as a risk reduction measure, though its effectiveness against CVE-2026-41850 specifically is not confirmed by the official advisory.
General CWE-407 mitigation best practices from MITRE include using constant time or logarithmic operations for processing untrusted data, imposing strict size and recursion limits on expression evaluation, conducting formal complexity analyses during code review, and rate limiting expression evaluation requests from untrusted sources.
Affected Systems and Versions
CVE-2026-41850 affects four major Spring Framework version branches:
| Branch | Affected Range | Open Source Fix | Commercial Fix (Tanzu) |
|---|---|---|---|
| 7.0.x | 7.0.0 through 7.0.7 | 7.0.8 | 7.0.7.1 |
| 6.2.x | 6.2.0 through 6.2.18 | 6.2.19 | 6.2.18.1 |
| 6.1.x | 6.1.0 through 6.1.27 | N/A (unsupported for OSS) | 6.1.28 |
| 5.3.x | 5.3.0 through 5.3.48 | N/A (unsupported for OSS) | 5.3.49 |
The advisory also notes that "Versions that are no longer supported are also affected." Organizations on the 6.1.x and 5.3.x branches cannot obtain open source patches and must either migrate to a supported branch or obtain commercial patches through Broadcom's Tanzu Spring Enterprise offering.
Any application that evaluates user supplied SpEL expressions is vulnerable, regardless of the deployment model. The vulnerability is exploitable over any network path without authentication.
Vendor Security History
The Spring Framework has experienced a steady cadence of security vulnerabilities, particularly in its web stack and expression evaluation components. In 2026 alone, multiple CVEs have been disclosed:
| CVE | Type | CVSS | Date |
|---|---|---|---|
| CVE-2026-22732 | Spring Security cache poisoning | Not specified | March 2026 |
| CVE-2026-22735 | Stream corruption | Not specified | March 2026 |
| CVE-2026-22737 | Path bypass / info disclosure | Not specified | March 2026 |
| CVE-2026-41850 | SpEL Algorithmic DoS | 7.5 | June 2026 |
| CVE-2026-41851 | Denial of Service | Not specified | June 2026 |
The Spring advisory for April 2026 described "3 Web Stack DoS and Cache Poisoning CVEs" in a single batch. Broadcom reported a 1700% increase in monthly security advisories from March to April 2026, a surge the company attributes in part to AI assisted vulnerability discovery by both researchers and its own engineering team.
Broadcom has responded with several initiatives: AI assisted security analysis using frontier model based scanning, Project Glasswing (an Anthropic based LLM initiative for proactive defense), and SLSA Level 3 supply chain validation through the Tanzu Spring Enterprise Repository. Purnima Padmanabhan, VP and GM of Broadcom's Tanzu Division, stated that Broadcom's position as "steward and sole committer" means the company can "better secure it at the source for everyone who depends on it."
The broader Spring ecosystem has also seen significant security research in 2026, including CVE-2026-40478, a critical Thymeleaf sandbox bypass discovered by Endor Labs that allows arbitrary code execution in Spring applications, demonstrating that expression based vulnerabilities in the Spring ecosystem can escalate beyond DoS to remote code execution.
The researcher credited with discovering and reporting CVE-2026-41850 is @wo1enca1ca1.
References
- CVE-2026-41850: Spring Framework Algorithmic Denial of Service (Official Advisory)
- CVE-2026-41850 on Vulners
- Spring Framework 7.0.8 and 6.2.19 Available Now
- Broadcom Expands Its Investment in Spring and Java Ecosystem Security
- Broadcom Injects Security Updates into Spring, Java Ecosystems (SDxCentral)
- Broadcom Aims to Better Secure Spring Applications in the AI Era (DevOps.com)
- CWE-407: Inefficient Algorithmic Complexity (MITRE)
- CVE-2024-38808: Spring Expression DoS Vulnerability (Prior SpEL DoS)
- Expression DoS Vulnerability Found in Spring: CVE-2023-20861 (Code Intelligence)
- Spring Framework Vulnerable to Denial of Service (GitLab Advisory for CVE-2024-38808)
- Algorithmic Complexity Vulnerabilities: An Introduction (Two Six Technologies)
- Spring Framework April 2026: 3 Web Stack DoS and Cache Poisoning CVEs (HeroDevs)
- CISA Known Exploited Vulnerabilities Catalog
- Thymeleaf Sandbox Bypass CVE-2026-40478 (Endor Labs)



