CVE-2026-41727

Vulnerability

Spring Kafka's retry topic infrastructure fails to sufficiently validate user-controlled header values. A producer can send a record with a crafted retry_topic-attempts header to provide an out-of-range attempt count, causing the retry topic router to misidentify the message's position in the retry sequence. Additionally, the retry_topic_backoff-timestamp header is accepted without bounds checking. This vulnerability affects Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 [1].

Exploitation

An attacker with producer privileges can send a record containing forged retry_topic-attempts or retry_topic_backoff-timestamp headers. By manipulating the retry_topic-attempts header, an attacker can cause the retry router to incorrectly track the number of retry attempts for a message. By forging the retry_topic_backoff-timestamp header with an out-of-range value, an attacker can instruct the backoff manager to impose an arbitrarily long pause, effectively stalling the listener beyond any intended retry window [1].

Impact

Successful exploitation can lead to a denial of service by causing the listener to stall indefinitely due to an artificially imposed long pause. The retry routing mechanism can also be disrupted, potentially leading to messages not being retried as expected or being processed out of sequence, impacting the overall reliability and availability of the Kafka-based application [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring for Apache Kafka 4.0.6, 3.3.16, 3.2.14, 2.9.14, or 2.8.12. No further mitigation steps are necessary beyond upgrading [1].