PatchSiren cyber security CVE debrief
CVE-2026-41729 Spring CVE debrief
CVE-2026-41729 is a high-severity vulnerability in Spring Data REST, allowing SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. The vulnerability occurs when a persistent entity exposes a Map-typed property, and the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. This vulnerability affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.
- Vendor
- Spring
- Product
- Spring Data REST
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected Spring Data REST versions should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability allows an attacker to inject SpEL expressions through map-typed properties when processing JSON Patch requests. This can lead to arbitrary code execution on the server.
Defensive priority
High
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Data REST.
- Apply patches or updates provided by the vendor.
- Restrict access to sensitive data and systems.
Evidence notes
The CVE record and NVD detail pages provide additional information about the vulnerability.
Official resources
-
CVE-2026-41729 CVE record
CVE.org
-
CVE-2026-41729 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41729 was published on 2026-06-10T00:16:52.367Z and modified on 2026-06-10T19:24:04.320Z.