In Spring for Apache Kafka, overly broad trusted-package matching in...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Basic Information

ID CVE-2026-41731

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring for Apache Kafka

Version 4.0.0

Affected Versions Spring Spring for Apache Kafka 4.0.0
Spring Spring for Apache Kafka 3.3.0
Spring Spring for Apache Kafka 3.2.0
Spring Spring for Apache Kafka 2.9.0
Spring Spring for Apache Kafka 2.8.0

CWE Classification

CWE-502

References

spring.io /security/cve-2026-41731

{
    "lastseen": "",
    "description": "JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.\n\nAffected versions:\nSpring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.",
    "published": "2026-06-09T23:49:26.535Z",
    "modified": "2026-06-09T23:49:26.535Z",
    "type": "cve",
    "title": "In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41731",
    "id": "CVE-2026-41731",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring for Apache Kafka 4.0.0\nSpring Spring for Apache Kafka 3.3.0\nSpring Spring for Apache Kafka 3.2.0\nSpring Spring for Apache Kafka 2.9.0\nSpring Spring for Apache Kafka 2.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring for Apache Kafka",
    "version": "4.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization_CVE-2026-41731