CVE-2026-41862P2HIGHCVSS 8.8≥ 4.0.0, < 4.0.1.1·≥ 3.2.0, < 3.2.52026-06-23
CVE-2026-41862 [HIGH] CWE-502 CVE-2026-41862: Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialis
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring S
nvd