CVE-2026-41717

Vulnerability

Spring Data MongoDB versions 5.0.0 through 5.0.5, 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15, and 3.4.0 through 3.4.19 are affected by a SpEL expression injection vulnerability. This occurs during parameter binding when a user-defined repository query method annotated with @Query uses a capture-all placeholder and is exposed to unsanitized user input [1].

Exploitation

An attacker can exploit this vulnerability by defining a repository method with an @Query annotation using a capture-all placeholder like ?0 or :#{?0}. If this method is exposed to untrusted input, for example, via spring-data-rest or a custom web endpoint, and unsanitized user input is passed directly to it, the attacker can inject malicious SpEL expressions [1].

Impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution. The impact includes confidentiality, integrity, and availability compromise, as the injected SpEL expressions can execute arbitrary code within the application's context [1].

Mitigation

Users should upgrade to the following fixed versions: Spring Data MongoDB 5.0.6, 4.5.12, 4.4.15, 4.3.17, or 3.4.20. Specific versions depend on the product line (OSS or Enterprise Support Only). Older, unsupported versions remain vulnerable [1].