In Spring for Apache Kafka, forged retry topic headers subvert...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description

Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Basic Information

ID CVE-2026-41727

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring for Apache Kafka

Version 4.0.0

Affected Versions Spring Spring for Apache Kafka 4.0.0
Spring Spring for Apache Kafka 3.3.0
Spring Spring for Apache Kafka 3.2.0
Spring Spring for Apache Kafka 2.9.0
Spring Spring for Apache Kafka 2.8.0

CWE Classification

CWE-20

References

spring.io /security/cve-2026-41727

{
    "lastseen": "",
    "description": "Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.",
    "published": "2026-06-09T23:49:10.215Z",
    "modified": "2026-06-09T23:49:10.215Z",
    "type": "cve",
    "title": "In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41727",
    "id": "CVE-2026-41727",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring for Apache Kafka 4.0.0\nSpring Spring for Apache Kafka 3.3.0\nSpring Spring for Apache Kafka 3.2.0\nSpring Spring for Apache Kafka 2.9.0\nSpring Spring for Apache Kafka 2.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring for Apache Kafka",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior_CVE-2026-41727