Security Advisory - Published 2026-06-10 - Spring Data / Spring Messaging

Spring Data, Kafka, and Pulsar CVEs: SpEL and Header Mapper Self-Check

The new Spring alerts are not Express.js issues. They affect Java applications using Spring Data MongoDB, Spring Data REST, Spring for Apache Kafka, or Spring for Apache Pulsar. The risky paths are user-controlled repository queries, JSON Patch on map properties, and broad trusted-package settings in message header mappers.

Defensive scope: this page focuses on dependency versions, code patterns, public endpoint exposure, and safe upgrades. It does not include crafted query strings, message headers, or JSON Patch samples.

What is affected

CVEComponentRisk condition
CVE-2026-41717Spring Data MongoDBAnnotated repository query uses a capture-all placeholder and receives untrusted input.
CVE-2026-41729Spring Data RESTJSON Patch can reach a Map-typed persistent property on an exposed resource.
CVE-2026-41731Spring for Apache KafkaHeader mapper trusted-package matching is too broad.
CVE-2026-41732Spring for Apache PulsarHeader mapper trusted packages are broad or empty and fall back to trusting too much.

10-minute self-check

Find resolved Spring versions

mvn dependency:tree | egrep 'spring-data-mongodb|spring-data-rest|spring-kafka|spring-pulsar'
./gradlew dependencies --configuration runtimeClasspath | egrep 'spring-data-mongodb|spring-data-rest|spring-kafka|spring-pulsar'

Check the resolved dependency version, not just the Spring Boot version. Parent BOMs, overrides, and shaded dependencies can leave old libraries in the runtime classpath.

Search MongoDB repository query patterns

grep -Rni "@Query\\|@Aggregation\\|:#{\\|?0" src 2>/dev/null | head -120

Review any annotated repository method that accepts request parameters, filters, search boxes, or admin-defined query text. The highest concern is direct user input flowing into a capture-all placeholder.

Check Spring Data REST JSON Patch exposure

grep -Rni "RepositoryRestResource\\|@RestResource\\|Map<" src 2>/dev/null | head -120

Focus on resources exposed through Spring Data REST where map-like properties can be modified by HTTP PATCH. If the endpoint is public or available to normal users, patch before relying on request filtering.

Review Kafka and Pulsar header mappers

grep -Rni "JsonKafkaHeaderMapper\\|DefaultKafkaHeaderMapper\\|JsonPulsarHeaderMapper\\|trustedPackages" src 2>/dev/null | head -120

Treat message producers as part of the trust boundary. If external systems, tenants, or partner integrations can publish messages, broad trusted-package settings deserve immediate attention.

Fixed versions listed by Spring

ComponentOpen-source fixed lines called out by Spring
Spring Data MongoDB5.0.6, 4.5.12
Spring Data REST5.0.6, 4.5.12
Spring for Apache Kafka4.0.6, 3.3.16
Spring for Apache Pulsar2.0.6, 1.2.18

Some older affected lines are listed by Spring as commercial or enterprise-support fixes. If your application is pinned to one of those branches, plan the support or upgrade decision before the next production release.

Safe fix path

  1. Upgrade the affected Spring modules. Prefer the supported line your app can actually run.
  2. Restrict exposed repository endpoints. Remove public access to Spring Data REST PATCH paths until patched.
  3. Remove user-controlled SpEL. Replace flexible expression input with explicit fields and allowlisted operators.
  4. Tighten trusted packages. Kafka and Pulsar consumers should only trust DTO packages they own.
  5. Watch logs after deployment. Look for parser exceptions, repeated failed PATCH requests, and consumer crashes.

Ping7 repair path

Ping7 can review dependency trees, repository query patterns, Spring Data REST exposure, Kafka/Pulsar header mapper settings, and post-upgrade smoke tests. Start from CVE Repair and include your dependency tree, Spring Boot version, and whether outside systems can publish messages.

References