PatchSiren cyber security CVE debrief
CVE-2026-41717 Spring CVE debrief
CVE-2026-41717 is a high-severity vulnerability in Spring Data MongoDB, allowing for SpEL (Spring Expression Language) expression injection. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. This vulnerability has a CVSS score of 8.1 and is considered HIGH severity.
- Vendor
- Spring
- Product
- Spring Data MongoDB
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using Spring Data MongoDB versions 5.0.0 through 5.0.5, 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15, and 3.4.0 through 3.4.19 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by the lack of proper input validation in Spring Data MongoDB's parameter binding process. When a user-defined repository query method is annotated with @Query and uses a capture-all placeholder, an attacker can inject malicious SpEL expressions, potentially leading to arbitrary code execution.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a patched version of Spring Data MongoDB.
- Review and update user-defined repository query methods to prevent SpEL expression injection.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about this vulnerability. Additional information can be found in the source reference [ref-4].
Official resources
-
CVE-2026-41717 CVE record
CVE.org
-
CVE-2026-41717 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41717 was published on 2026-06-10T00:16:51.683Z and modified on 2026-06-10T19:24:04.320Z.