In Spring for Apache Pulsar, overly broad trusted-package matching in...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.

Affected versions:
Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Basic Information

ID CVE-2026-41732

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring for Apache Pulsar

Version 2.0.0

Affected Versions Spring Spring for Apache Pulsar 2.0.0
Spring Spring for Apache Pulsar 1.2.0
Spring Spring for Apache Pulsar 1.1.0

CWE Classification

CWE-502

References

spring.io /security/cve-2026-41732

{
    "lastseen": "",
    "description": "JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.\n\nAffected versions:\nSpring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.",
    "published": "2026-06-09T23:49:31.164Z",
    "modified": "2026-06-09T23:49:31.164Z",
    "type": "cve",
    "title": "In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41732",
    "id": "CVE-2026-41732",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring for Apache Pulsar 2.0.0\nSpring Spring for Apache Pulsar 1.2.0\nSpring Spring for Apache Pulsar 1.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring for Apache Pulsar",
    "version": "2.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization_CVE-2026-41732