PatchSiren cyber security CVE debrief
CVE-2026-41727 Spring CVE debrief
CVE-2026-41727 is a medium-severity vulnerability in Spring Kafka's retry topic infrastructure. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. This issue affects Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11.
- Vendor
- Spring
- Product
- Spring for Apache Kafka
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by insufficient validation of user-controlled header values in Spring Kafka's retry topic infrastructure. A producer can send a record with a crafted retry_topic-attempts header, which can cause the retry topic router to misidentify the message's position in the retry sequence.
Defensive priority
medium
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring for Apache Kafka.
- Apply patches or updates provided by the vendor.
- Restrict access to the affected systems and networks.
Evidence notes
The CVE-2026-41727 vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt]. The CVSS score is 6.5, and the severity is MEDIUM.
Official resources
-
CVE-2026-41727 CVE record
CVE.org
-
CVE-2026-41727 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41727 was published on 2026-06-10T00:16:52.143Z and last modified on 2026-06-10T19:24:04.320Z.