AIKIDO-2026-10097
spring-boot-admin-server is vulnerable to Remote Code Execution (RCE)
75
High Risk
This Affects:
spring-boot-admin-serverTL;DR
Affected versions of this package contain a server expression language (SpEL) injection issue in the FeiShuNotifier component, where a user-controlled notification message template is parsed and evaluated with an overly permissive evaluation context. An attacker who can modify the Admin Server’s external configuration (for example via config files, environment variables, or a remote config server) can inject arbitrary SpEL expressions that are later evaluated at runtime, leading to remote code execution, full access to process memory and secrets, and potential denial of service on the Spring Boot Admin Server. Updating to a version that applies the fix (where FeiShuNotifier uses a safer expression evaluation mechanism) is recommended.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
spring-boot-admin-server is vulnerable to Remote Code Execution (RCE) in versions 0.0.1 - 3.5.6.
How to fix this
Upgrade the de.codecentric:spring-boot-admin-server library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant