CVE-2026-41719

Vulnerability

A SpEL Injection vulnerability exists in Spring Data KeyValue when unsanitized user input is passed as a Sort parameter into a repository query method that uses SpelPropertyComparator for evaluation. The application is vulnerable if the SpelPropertyComparator is used for sorting, the method is exposed to untrusted input, and unsanitized user input is directly passed to the method. Affected versions include Spring Data KeyValue and Spring Data Redis from 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.7.0 through 2.7.19 [1].

Exploitation

An attacker needs to have low privileges and network access to exploit this vulnerability. The attacker must send unsanitized user input as a Sort parameter to a repository query method that is exposed to untrusted input, such as through a custom REST endpoint. The SpelPropertyComparator must be configured for sorting, allowing the malicious SpEL expression within the input to be evaluated [1].

Impact

Successful exploitation of this vulnerability can lead to arbitrary code execution. The attacker can potentially disclose sensitive information, modify data, and disrupt service availability. The scope of the compromise depends on the privileges of the affected application process [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions of Spring Data KeyValue. Specific fix versions include 4.0.6 for 4.0.x, 3.5.12 for 3.5.x, 3.4.15 for 3.4.x, 3.3.17 for 3.3.x, and 2.7.20 for 2.7.x. Some versions are only available with Enterprise Support [1].