Spring Data REST SpEL Injection via Map Key in JSON...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.

Affected versions:
Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Basic Information

ID CVE-2026-41729

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring Data REST

Version 3.7.0

Affected Versions Spring Spring Data REST 3.7.0
Spring Spring Data REST 4.3.0
Spring Spring Data REST 4.4.0
Spring Spring Data REST 4.5.0
Spring Spring Data REST 5.0.0

CWE Classification

CWE-917

References

spring.io /security/cve-2026-41729

{
    "lastseen": "",
    "description": "Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.",
    "published": "2026-06-09T23:49:17.014Z",
    "modified": "2026-06-09T23:49:17.014Z",
    "type": "cve",
    "title": "Spring Data REST SpEL Injection via Map Key in JSON Patch",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41729",
    "id": "CVE-2026-41729",
    "bulletinFamily": "",
    "cwe": [
        "CWE-917"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data REST 3.7.0\nSpring Spring Data REST 4.3.0\nSpring Spring Data REST 4.4.0\nSpring Spring Data REST 4.5.0\nSpring Spring Data REST 5.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data REST",
    "version": "3.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data REST SpEL Injection via Map Key in JSON Patch_CVE-2026-41729