CVE-2026-41862
published 2026-06-23CVE-2026-41862: Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.42%
33.9th percentile
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring Statemachine 3.2.0 through 3.2.4
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring | spring_statemachine | >= 3.2.0 < 3.2.5 | 3.2.5 |
| spring | spring_statemachine | >= 4.0.0 < 4.0.1.1 | 4.0.1.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Vmware Spring Statemachine up to 3.2.4 deserialization (EUVD-2026-38596)
vuldb·2026-06-24·CVSS 8.8
CVE-2026-41862 [HIGH] Vmware Spring Statemachine up to 3.2.4 deserialization (EUVD-2026-38596)
A vulnerability was found in Vmware Spring Statemachine up to 3.2.4. It has been classified as critical. Affected is an unknown function. The manipulation leads to deserialization.
This vulnerability is referenced as CVE-2026-41862. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of
ghsa_unreviewed·2026-06-23
CVE-2026-41862 [HIGH] CWE-502 Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring Statemachine 3.2.0 through 3.2.4
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published