CVE-2026-6125: Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression

April 12, 2026 (updated April 14, 2026)

A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

References

gitee.com/dromara/warm-flow
gitee.com/dromara/warm-flow/issues/IHURVQ
gitee.com/dromara/warm-flow/pulls/387
github.com/advisories/GHSA-822v-8w6h-5jxp
github.com/dromara/warm-flow
nvd.nist.gov/vuln/detail/CVE-2026-6125
vuldb.com/submit/793322
vuldb.com/vuln/356989
vuldb.com/vuln/356989/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6125 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →