Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring Statemachine 3.2.0 through 3.2.4
References
| Link | Resource |
|---|---|
| https://spring.io/security/cve-2026-41862 |
Configurations
No configuration.
History
23 Jun 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-23 21:16
Updated : 2026-06-25 19:10
NVD link : CVE-2026-41862
Mitre link : CVE-2026-41862
CVE.ORG link : CVE-2026-41862
JSON object : View
Products Affected
No product.
CWE
CWE-502
Deserialization of Untrusted Data
