CVE-2026-41731 (GCVE-0-2026-41731)
Vulnerability from cvelistv5 – Published: 2026-06-09 23:49 – Updated: 2026-06-30 12:08
VLAI
Title
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
Summary
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.
Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://spring.io/security/cve-2026-41731 | |
| https://access.redhat.com/security/cve/CVE-2026-41731 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2487375 | issue-trackingx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring for Apache Kafka |
Affected:
4.0.0 , < 4.0.5.1
(custom)
Affected: 3.3.0 , < 3.3.15.1 (custom) Affected: 3.2.0 , < 3.2.14 (custom) Affected: 2.9.0 , < 2.9.14 (custom) Affected: 2.8.0 , < 2.8.12 (custom) |
|
| Red Hat | Red Hat Fuse 7 |
cpe:/a:redhat:jboss_fuse:7 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack |
cpe:/a:redhat:jbosseapxp |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T17:18:09.377824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:18:19.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:jboss_fuse:7"
],
"defaultStatus": "affected",
"product": "Red Hat Fuse 7",
"vendor": "Red Hat"
},
{
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-09T23:49:26.535Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the spring-kafka component. A remote attacker, by supplying crafted header values, could exploit a vulnerability in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper that incorrectly matched type headers against trusted packages. This issue, combined with Jackson\u0027s default bean deserialization, could allow the consumer to deserialize arbitrary Java Development Kit (JDK) types. This could lead to arbitrary code execution on the affected system."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T12:08:45.738Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-41731"
},
{
"name": "RHBZ#2487375",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487375"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41731.json"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-10T00:01:22.562Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-09T23:49:26.535Z",
"value": "Made public."
}
],
"title": "spring-kafka: Spring for Apache Kafka: Arbitrary code execution via insecure deserialization of crafted header values",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring for Apache Kafka",
"vendor": "Spring",
"versions": [
{
"lessThan": "4.0.5.1",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThan": "3.3.15.1",
"status": "affected",
"version": "3.3.0",
"versionType": "custom"
},
{
"lessThan": "3.2.14",
"status": "affected",
"version": "3.2.0",
"versionType": "custom"
},
{
"lessThan": "2.9.14",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThan": "2.8.12",
"status": "affected",
"version": "2.8.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"value": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A producer can supply crafted Kafka header values that cause the consumer to deserialize arbitrary JDK types via overly broad trusted-package prefix matching in JsonKafkaHeaderMapper."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T21:16:32.317Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41731"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41731",
"datePublished": "2026-06-09T23:49:26.535Z",
"dateReserved": "2026-04-22T06:21:39.015Z",
"dateUpdated": "2026-06-30T12:08:45.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-41731",
"date": "2026-07-01",
"epss": "0.00489",
"percentile": "0.38489"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-41731\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2026-06-10T00:16:52.597\",\"lastModified\":\"2026-06-30T03:19:29.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\\n\\nAffected versions:\\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.\"}],\"affected\":[{\"source\":\"security@vmware.com\",\"affectedData\":[{\"vendor\":\"Spring\",\"product\":\"Spring for Apache Kafka\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"4.0.0\",\"lessThan\":\"4.0.5.1\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"3.3.0\",\"lessThan\":\"3.3.15.1\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"3.2.0\",\"lessThan\":\"3.2.14\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"2.9.0\",\"lessThan\":\"2.9.14\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"2.8.0\",\"lessThan\":\"2.8.12\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Fuse 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jboss_fuse:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat JBoss Enterprise Application Platform Expansion Pack\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:jbosseapxp\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-10T17:18:09.377824Z\",\"id\":\"CVE-2026-41731\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_for_apache_kafka:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndIncluding\":\"2.8.11\",\"matchCriteriaId\":\"1FA133AB-08DE-414E-8E73-4315485A0EB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_for_apache_kafka:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndIncluding\":\"2.9.13\",\"matchCriteriaId\":\"05FA857E-CD8B-4FEA-8705-BE4B37100598\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_for_apache_kafka:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2.0\",\"versionEndIncluding\":\"3.2.13\",\"matchCriteriaId\":\"048502C1-BBD9-43E1-9E7F-35BBB905357D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_for_apache_kafka:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3.0\",\"versionEndIncluding\":\"3.3.15\",\"matchCriteriaId\":\"1FCB29AB-0723-49AE-A4D0-44FB8091601F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vmware:spring_for_apache_kafka:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndIncluding\":\"4.0.5\",\"matchCriteriaId\":\"06571657-6130-4290-8878-AADBD070C2CE\"}]}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2026-41731\",\"source\":\"security@vmware.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-41731\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2487375\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41731.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41731\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-10T17:18:09.377824Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-10T17:18:16.919Z\"}}], \"cna\": {\"title\": \"In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"A producer can supply crafted Kafka header values that cause the consumer to deserialize arbitrary JDK types via overly broad trusted-package prefix matching in JsonKafkaHeaderMapper.\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring for Apache Kafka\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.0.5.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.3.0\", \"lessThan\": \"3.3.15.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.2.0\", \"lessThan\": \"3.2.14\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.9.0\", \"lessThan\": \"2.9.14\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.8.0\", \"lessThan\": \"2.8.12\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://spring.io/security/cve-2026-41731\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\\n\\nAffected versions:\\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson\u0027s default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\\n\\nAffected versions:\\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2026-06-27T21:16:32.317Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-41731\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-27T21:16:32.317Z\", \"dateReserved\": \"2026-04-22T06:21:39.015Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2026-06-09T23:49:26.535Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…