Spring Data MongoDB – SpEL Expression Injection via Annotated Query...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.

Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

Basic Information

ID CVE-2026-41717

Source vmware

Published Jun 9, 2026 at 23:48

Affected Product

Vendor Spring

Product Spring Data MongoDB

Version 5.0.0

Affected Versions Spring Spring Data MongoDB 5.0.0
Spring Spring Data MongoDB 4.5.0
Spring Spring Data MongoDB 4.4.0
Spring Spring Data MongoDB 4.3.0
Spring Spring Data MongoDB 4.2.0
Spring Spring Data MongoDB 4.1.0
Spring Spring Data MongoDB 4.0.0
Spring Spring Data MongoDB 3.4.0

CWE Classification

CWE-917

References

spring.io /security/cve-2026-41717

{
    "lastseen": "",
    "description": "Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.",
    "published": "2026-06-09T23:48:38.290Z",
    "modified": "2026-06-09T23:48:38.290Z",
    "type": "cve",
    "title": "Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41717",
    "id": "CVE-2026-41717",
    "bulletinFamily": "",
    "cwe": [
        "CWE-917"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data MongoDB 5.0.0\nSpring Spring Data MongoDB 4.5.0\nSpring Spring Data MongoDB 4.4.0\nSpring Spring Data MongoDB 4.3.0\nSpring Spring Data MongoDB 4.2.0\nSpring Spring Data MongoDB 4.1.0\nSpring Spring Data MongoDB 4.0.0\nSpring Spring Data MongoDB 3.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data MongoDB",
    "version": "5.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data MongoDB – SpEL Expression Injection via Annotated Query Parameter Binding_CVE-2026-41717