Security Advisory - Published 2026-06-10 - Spring Data / Spring Messaging
Spring Data, Kafka, and Pulsar CVEs: SpEL and Header Mapper Self-Check
The new Spring alerts are not Express.js issues. They affect Java applications using Spring Data MongoDB, Spring Data REST, Spring for Apache Kafka, or Spring for Apache Pulsar. The risky paths are user-controlled repository queries, JSON Patch on map properties, and broad trusted-package settings in message header mappers.
What is affected
| CVE | Component | Risk condition |
|---|---|---|
| CVE-2026-41717 | Spring Data MongoDB | Annotated repository query uses a capture-all placeholder and receives untrusted input. |
| CVE-2026-41729 | Spring Data REST | JSON Patch can reach a Map-typed persistent property on an exposed resource. |
| CVE-2026-41731 | Spring for Apache Kafka | Header mapper trusted-package matching is too broad. |
| CVE-2026-41732 | Spring for Apache Pulsar | Header mapper trusted packages are broad or empty and fall back to trusting too much. |
10-minute self-check
Find resolved Spring versions
mvn dependency:tree | egrep 'spring-data-mongodb|spring-data-rest|spring-kafka|spring-pulsar'
./gradlew dependencies --configuration runtimeClasspath | egrep 'spring-data-mongodb|spring-data-rest|spring-kafka|spring-pulsar' Check the resolved dependency version, not just the Spring Boot version. Parent BOMs, overrides, and shaded dependencies can leave old libraries in the runtime classpath.
Search MongoDB repository query patterns
grep -Rni "@Query\\|@Aggregation\\|:#{\\|?0" src 2>/dev/null | head -120 Review any annotated repository method that accepts request parameters, filters, search boxes, or admin-defined query text. The highest concern is direct user input flowing into a capture-all placeholder.
Check Spring Data REST JSON Patch exposure
grep -Rni "RepositoryRestResource\\|@RestResource\\|Map<" src 2>/dev/null | head -120 Focus on resources exposed through Spring Data REST where map-like properties can be modified by HTTP PATCH. If the endpoint is public or available to normal users, patch before relying on request filtering.
Review Kafka and Pulsar header mappers
grep -Rni "JsonKafkaHeaderMapper\\|DefaultKafkaHeaderMapper\\|JsonPulsarHeaderMapper\\|trustedPackages" src 2>/dev/null | head -120 Treat message producers as part of the trust boundary. If external systems, tenants, or partner integrations can publish messages, broad trusted-package settings deserve immediate attention.
Fixed versions listed by Spring
| Component | Open-source fixed lines called out by Spring |
|---|---|
| Spring Data MongoDB | 5.0.6, 4.5.12 |
| Spring Data REST | 5.0.6, 4.5.12 |
| Spring for Apache Kafka | 4.0.6, 3.3.16 |
| Spring for Apache Pulsar | 2.0.6, 1.2.18 |
Some older affected lines are listed by Spring as commercial or enterprise-support fixes. If your application is pinned to one of those branches, plan the support or upgrade decision before the next production release.
Safe fix path
- Upgrade the affected Spring modules. Prefer the supported line your app can actually run.
- Restrict exposed repository endpoints. Remove public access to Spring Data REST PATCH paths until patched.
- Remove user-controlled SpEL. Replace flexible expression input with explicit fields and allowlisted operators.
- Tighten trusted packages. Kafka and Pulsar consumers should only trust DTO packages they own.
- Watch logs after deployment. Look for parser exceptions, repeated failed PATCH requests, and consumer crashes.
Ping7 repair path
Ping7 can review dependency trees, repository query patterns, Spring Data REST exposure, Kafka/Pulsar header mapper settings, and post-upgrade smoke tests. Start from CVE Repair and include your dependency tree, Spring Boot version, and whether outside systems can publish messages.