Security Advisory - Published 2026-06-24 - Spring Statemachine

Spring Statemachine Kryo persistence: check stored state before restarting

CVE-2026-41862 affects Spring Statemachine deployments that persist state-machine contexts with Kryo-backed storage. The patch may need a state migration plan, so identify affected services and preserve state-store evidence before changing code.

Defensive scope: this page is for owned Java applications and approved maintenance. It does not include gadget-chain construction or offensive details.

Affected version

CVEProductAffectedFixedCVSS
CVE-2026-41862Spring StatemachineSpring Statemachine 3.2.0-3.2.4 and 4.0.0-4.0.14.0.2 for OSS users, or the supported fixed branch8.8

Owner self-check

grep -Rni 'spring-statemachine\\|spring-statemachine-kryo\\|Kryo' pom.xml build.gradle gradle.lockfile build.gradle.kts 2>/dev/null
grep -Rni 'StateMachineRuntimePersister\\|Kryo\\|JpaPersistingStateMachineInterceptor\\|RedisStateMachineContextRepository\\|MongoDbStateMachineRepository' src config 2>/dev/null
grep -Rni 'statemachine\\|state machine\\|kryo\\|deserialize\\|redis\\|mongodb\\|zookeeper' logs var/log 2>/dev/null | tail -180

What to review

  • Any service using Spring Statemachine 3.2.x or 4.0.x with Kryo persistence.
  • Persistence backends: JPA, MongoDB, Redis, and ZooKeeper state-machine context stores.
  • Whether persisted state comes only from trusted service code or can be influenced by users, queues, admin tools, or import jobs.
  • Recent deserialization errors, state restore failures, unexpected transitions, and restarts around state-store writes.

Safe fix path

  1. Upgrade to Spring Statemachine 4.0.2 where possible, or the fixed version for your supported branch.
  2. Register expected state, event, context, and extended-state classes before deserializing stored contexts.
  3. Plan a persisted-state migration if older Kryo data cannot be trusted or cannot be read safely after patching.
  4. Back up the state store and logs before redeploying; state-machine failures can look like ordinary workflow bugs later.

Repair help

Use Ping7 CVE Repair when the affected service stores state in Redis, MongoDB, JPA, or ZooKeeper and you need a patch and migration review before restarting production workflows.

References

Author: Ping7 security team - Published: 2026-06-24 - Spring Statemachine CVE-2026-41862 - Defensive self-check only.