CVE-2026-41731

Vulnerability

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper in Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 incorrectly matched type headers against trusted packages using a prefix check. This allowed trusting any package to implicitly trust all of its subpackages. Combined with Jackson's default bean deserialization, this vulnerability enables the deserialization of arbitrary JDK types [1].

Exploitation

An unauthenticated attacker with network access could supply crafted header values to a Kafka producer. These crafted headers would then be processed by a vulnerable Kafka consumer, triggering Jackson's deserialization mechanism to instantiate arbitrary JDK types, potentially leading to code execution [1].

Impact

Successful exploitation allows an attacker to deserialize arbitrary JDK types on the consumer side. This can include classes whose constructors have side effects, such as allocating file descriptors or spawning thread pools, potentially leading to remote code execution with the privileges of the consumer process [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 4.0.6 (or 4.0.5.1 for Commercial), 3.3.16 (or 3.3.15.1 for Commercial), 3.2.14 (Commercial), 2.9.14 (Commercial), or 2.8.12 (Commercial). No further mitigation steps are necessary beyond upgrading [1].