Data Binding Vulnerability in Spring Web Flow with Unified EL Parser
CVE-2026-40985

6.4MEDIUM

Key Information:

Vendor

Spring

Status
Spring Web Flow
Vendor
CVE Published:
11 June 2026

What is CVE-2026-40985?

Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions.

Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.

Affected Version(s)

Spring Web Flow 4.0.0 < 4.0.1

Spring Web Flow 3.0.0 < 3.0.2

Spring Web Flow 2.5.0 < 2.5.2

References

https://spring.io/security/cve-2026-40985

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.