PatchSiren cyber security CVE debrief
CVE-2026-41696 Spring CVE debrief
CVE-2026-41696 is a vulnerability in Spring Data MongoDB that allows an attacker to break out of intended regular expression quoting by supplying a crafted string. This issue affects Spring Data MongoDB versions 5.0.0 through 5.0.5, 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15, and 3.4.0 through 3.4.19.
- Vendor
- Spring
- Product
- Spring Data MongoDB
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected Spring Data MongoDB versions should update to a patched version to prevent potential attacks.
Technical summary
The vulnerability is caused by insufficient validation of regex parameter binding in repository query methods annotated with @Query. An attacker can exploit this by supplying a crafted string to break out of the intended regular expression quoting.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of Spring Data MongoDB.
Evidence notes
The CVE-2026-41696 vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity.
Official resources
-
CVE-2026-41696 CVE record
CVE.org
-
CVE-2026-41696 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41696 was published on 2026-06-10T00:16:50.800Z and modified on 2026-06-10T19:24:04.320Z.