CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4
Configurations

No configuration.

History

23 Jun 2026, 21:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-23 21:16

Updated : 2026-06-25 19:10


NVD link : CVE-2026-41862

Mitre link : CVE-2026-41862

CVE.ORG link : CVE-2026-41862


JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data