PatchSiren cyber security CVE debrief
CVE-2026-41732 Spring CVE debrief
CVE-2026-41732 is a HIGH severity vulnerability in Spring for Apache Pulsar, with a CVSS score of 8.1. The vulnerability arises from a prefix check in JsonPulsarHeaderMapper that matched type headers against trusted packages, implicitly trusting all subpackages of a trusted package. Furthermore, an empty trusted-packages configuration would fall back to trusting all packages instead of applying a safe default allow-list. Affected versions include Spring for Apache Pulsar 2.0.0 through 2.0.5, 1.2.0 through 1.2.17, and 1.1.0 through 1.1.17.
- Vendor
- Spring
- Product
- Spring for Apache Pulsar
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring for Apache Pulsar versions 2.0.0 through 2.0.5, 1.2.0 through 1.2.17, and 1.1.0 through 1.1.17 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The JsonPulsarHeaderMapper incorrectly performed a prefix check for trusted packages, leading to potential security risks. This issue has been addressed in the affected versions of Spring for Apache Pulsar.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring for Apache Pulsar.
- Configure trusted packages explicitly to avoid implicit trust of subpackages.
- Refer to [ref-4] for detailed security advisories and patches.
Evidence notes
The CVE was published on [cve-org] and additional details can be found on [nvd].
Official resources
-
CVE-2026-41732 CVE record
CVE.org
-
CVE-2026-41732 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41732 was published on 2026-06-10T00:16:52.720Z and modified on 2026-06-10T19:24:04.320Z.