CVE-2026-41696

Vulnerability

Spring Data MongoDB versions 5.0.0 through 5.0.5, 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15, and 3.4.0 through 3.4.19 perform insufficient validation of parameters bound to regex query methods annotated with @Query. This allows an attacker to supply a crafted string to break out of the intended regular expression quoting [1].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted string to a regex parameter binding within a @Query annotated method. This is particularly dangerous when the repository is exposed to untrusted sources, such as through spring-data-rest. No specific user interaction or authentication is mentioned as required, but network access to the vulnerable endpoint is implied [1].

Impact

Successful exploitation can lead to unauthorized data exposure or bypass of intended query filters. The scope of the compromise is limited to the data accessible through the vulnerable query method, but the attacker gains the ability to craft arbitrary queries within the bounds of the regex injection [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: 5.0.6, 4.5.12, 4.4.15, 4.3.17, or 3.4.20. Specific fix versions for other affected branches are also available [1].