CVE-2026-41862 | Spring Statemachine's Kryo-based persistence backends (JPA, … | CVSS 8.8 HIGH

Description

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4

Metadata

CVE ID: CVE-2026-41862
State: PUBLISHED
Assigner: vmware
Reserved: 2026-04-22 06:22 UTC
Published: 2026-06-23 20:59 UTC
Last updated: 2026-06-23 20:59 UTC
Primary CWE: CWE-502
CWE-502: Deserialization of Untrusted Data
Vendor / Product: Spring / Spring Statemachine
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Spring	Spring Statemachine	—	4.0.0 < 4.0.1.1, 3.2.0 < 3.2.5

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	CWE-502: Deserialization of Untrusted Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (1)

https://spring.io/security/cve-2026-41862