High

Spring Framework JMS Jackson message converter deserialization vulnerability

IdentifiersCVE-2026-41855CWE-502· Deserialization of Untrusted Data

CVE-2026-41855 is a deserialization-related vulnerability in Spring Framework affecting org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter. In an untrusted JMS environment, these Jackson-based JMS message converters can permit arbitrary class instantiation during message conversion, enabling gadget class deserialization. This can result in unauthorized actions when attacker-controlled JMS message content is processed by a vulnerable application. Affected Spring Framework versions are 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an unauthenticated attacker able to supply crafted messages in an untrusted JMS environment to trigger arbitrary class instantiation through gadget deserialization. Depending on the available gadget chain and application context, this may lead to unauthorized actions and severe impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

Do not use org.springframework.jms.support.converter.MappingJackson2MessageConverter or org.springframework.jms.support.converter.JacksonJsonMessageConverter in untrusted JMS environments until patched versions are deployed. Restrict JMS message sources to trusted producers only and reduce exposure of JMS infrastructure to untrusted senders.

Remediation

Patch, then assume compromise.

Upgrade Spring Framework to a fixed version later than the affected ranges: later than 7.0.7, 6.2.18, 6.1.27, and 5.3.48, as applicable to the deployed branch. Review applications using org.springframework.jms.support.converter.MappingJackson2MessageConverter or org.springframework.jms.support.converter.JacksonJsonMessageConverter and update them to patched Spring Framework releases.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomSpring Frameworkapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cvefeed high severityNews

Jun 9, 2026

CVE-2026-41855 - Spring Framework Unsafe Deserialization via Jackson JMS Converters

A Spring Framework deserialization-related vulnerability in JMS message converters that allows arbitrary class instantiation in untrusted JMS environments, potentially leading to unauthorized actions via gadget class deserialization.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41855

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41855

MITRE CWE · CWE-502

Deserialization of Untrusted Data

spring.io

spring.io/security/cve-2026-41855