This vulnerability (CVE-2026-41855) in the Spring Framework arises from unsafe deserialization of untrusted JMS messages using the MappingJackson2MessageConverter and JacksonJsonMessageConverter classes. When these converters process JMS messages in an untrusted environment, they allow instantiation of arbitrary classes, which can be exploited to perform unauthorized actions. The issue affects multiple Spring Framework versions spanning 5.3.x, 6.1.x, 6.2.x, and 7.0.x branches. The CVSS 3.1 base score is 8.1, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and no privileges or user interaction required. As of the published date, no official patch or remediation level has been disclosed by the vendor.

Successful exploitation can lead to arbitrary code execution or unauthorized actions due to deserialization of maliciously crafted JMS messages. The impact includes full compromise of confidentiality, integrity, and availability of affected systems running vulnerable Spring Framework versions in untrusted JMS environments. No known exploits have been reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid processing JMS messages from untrusted sources using the affected converters or implement strict input validation and deserialization controls. Monitor vendor communications for updates on patches or official mitigations.