CVE-2026-41729

Vulnerability

Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 are vulnerable to SpEL expression injection. This occurs when processing JSON Patch requests (application/json-patch+json) against a persistent entity that exposes a Map-typed property. The JSON Pointer path segment used as the map key is directly embedded into a SpEL expression without proper sanitization or validation [1].

Exploitation

An attacker needs to be able to issue PATCH requests with a Content-Type of application/json-patch+json to an affected item resource. The application's security configuration determines if authentication is required. The attacker crafts a map-key segment within the JSON Patch request that breaks out of the intended indexer literal, allowing for the evaluation of an arbitrary SpEL sub-expression within the context of the aggregate root. Both read and write patch paths are affected [1].

Impact

Successful exploitation allows an attacker to evaluate arbitrary SpEL expressions within the context of the aggregate root. This can lead to significant impacts including disclosure of sensitive information and modification of data, depending on the privileges of the application's security context and the crafted SpEL expression. The exact impact is contingent on the specific application's configuration and the reachable map-typed properties [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6. Versions that are no longer supported are also affected. No other mitigation details are available in the provided references [1].