Home

Description

In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-09 | Updated 2026-06-09 | Assigner vmware




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

Default status
unaffected

7.0.0 (custom) before 7.0.8
affected

6.2.0 (custom) before 6.2.19
affected

6.1.0 (custom) before 6.1.28
affected

5.3.0 (custom) before 5.3.49
affected

References

spring.io/security/cve-2026-41855

cve.org (CVE-2026-41855)

nvd.nist.gov (CVE-2026-41855)

Download JSON