CVE-2026-41731 Spring CVE debrief

Who should care

Users of Spring for Apache Kafka, particularly those using versions 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability arises from the prefix check used by JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper to match type headers against trusted packages. This allows for a producer to supply crafted header values that can cause the consumer to deserialize arbitrary JDK types when combined with Jackson's default bean deserialization.

Defensive priority

HIGH

Recommended defensive actions

• Update to a version of Spring for Apache Kafka that is not vulnerable: 4.0.6 or later, 3.3.16 or later, 3.2.14 or later, 2.9.14 or later, 2.8.12 or later.
• Use a different header mapper that does not rely on prefix checks for trusted packages.

Evidence notes

The CVE was published on 2026-06-10T00:16:52.597Z and last modified on 2026-06-10T19:24:04.320Z. The CVSS score is 8.1, indicating a HIGH severity vulnerability.

Official resources