Spring Data KeyValue – SpEL Injection vulnerability in SpelPropertyComparator

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

Description

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.

Affected versions:
Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

Basic Information

ID CVE-2026-41719

Source vmware

Published Jun 9, 2026 at 23:48

Affected Product

Vendor Spring

Product Spring Data KeyValue

Version 4.0.0

Affected Versions Spring Spring Data KeyValue 4.0.0
Spring Spring Data KeyValue 3.5.0
Spring Spring Data KeyValue 3.4.0
Spring Spring Data KeyValue 3.3.0
Spring Spring Data KeyValue 3.2.0
Spring Spring Data KeyValue 3.1.0
Spring Spring Data KeyValue 3.0.0
Spring Spring Data KeyValue 2.7.0
Spring Spring Data Redis 4.0.0
Spring Spring Data Redis 3.5.0
Spring Spring Data Redis 3.4.0
Spring Spring Data Redis 3.3.0
Spring Spring Data Redis 3.2.0
Spring Spring Data Redis 3.1.0
Spring Spring Data Redis 3.0.0
Spring Spring Data Redis 2.7.0

CWE Classification

CWE-917

References

spring.io /security/cve-2026-41719

{
    "lastseen": "",
    "description": "A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.\n\nAffected versions:\nSpring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.",
    "published": "2026-06-09T23:48:42.396Z",
    "modified": "2026-06-09T23:48:42.396Z",
    "type": "cve",
    "title": "Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41719",
    "id": "CVE-2026-41719",
    "bulletinFamily": "",
    "cwe": [
        "CWE-917"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data KeyValue 4.0.0\nSpring Spring Data KeyValue 3.5.0\nSpring Spring Data KeyValue 3.4.0\nSpring Spring Data KeyValue 3.3.0\nSpring Spring Data KeyValue 3.2.0\nSpring Spring Data KeyValue 3.1.0\nSpring Spring Data KeyValue 3.0.0\nSpring Spring Data KeyValue 2.7.0\nSpring Spring Data Redis 4.0.0\nSpring Spring Data Redis 3.5.0\nSpring Spring Data Redis 3.4.0\nSpring Spring Data Redis 3.3.0\nSpring Spring Data Redis 3.2.0\nSpring Spring Data Redis 3.1.0\nSpring Spring Data Redis 3.0.0\nSpring Spring Data Redis 2.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data KeyValue",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data KeyValue – SpEL Injection vulnerability in SpelPropertyComparator_CVE-2026-41719