CVE-2026-41732

Vulnerability

Spring for Apache Pulsar versions 2.0.0 through 2.0.5, 1.2.0 through 1.2.17, and 1.1.0 through 1.1.17 are affected by an overly broad trusted-package matching vulnerability in JsonPulsarHeaderMapper. This matching used a prefix check, meaning trusting a package implicitly trusted all its subpackages. Furthermore, an empty trusted-packages configuration incorrectly fell back to trusting all packages instead of a safe default allow-list [1].

Exploitation

An attacker can exploit this vulnerability by supplying crafted header values. This requires the attacker to be able to act as a producer and send these crafted headers to a consumer. The vulnerability is triggered when the consumer deserializes these headers using Jackson's default bean deserialization [1].

Impact

Successful exploitation allows an attacker to cause the consumer to deserialize arbitrary JDK types. The constructors of these deserialized classes can have side effects, such as allocating file descriptors or spawning thread pools, potentially leading to denial-of-service or other unintended consequences [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: Spring for Apache Pulsar 2.0.6 (or 2.0.5.1 for Commercial), 1.2.18 (or 1.2.17.1 for Commercial), or 1.1.18 (for Commercial). No further mitigation steps are necessary beyond upgrading [1].