EUVD-2026-35900
GHSA-5whc-4q84-fj73
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.
Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
AnalysisAI
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered during parameter binding for repository methods annotated with @Query that use a capture-all placeholder. With CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) and no public exploit identified at time of analysis, unauthenticated attackers who can influence query parameters reaching such a method could execute arbitrary SpEL expressions on the server.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a target application to declare a Spring Data MongoDB repository method annotated with @Query whose query string uses a capture-all SpEL placeholder, and to bind attacker-controllable input (typically an HTTP request parameter or body field) to that method's argument. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 8.1 vector indicates network reach with no privileges or user interaction, but with high attack complexity - meaning exploitation depends on application-specific conditions (the target must actually expose a vulnerable @Query method with a capture-all placeholder and route attacker-controllable input into it). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted value via an HTTP request parameter that the application passes to a Spring Data MongoDB repository method annotated with @Query using a capture-all placeholder; the value is interpolated into the query template, parsed as a SpEL expression, and executed server-side, allowing the attacker to invoke arbitrary Java methods and ultimately achieve remote code execution as the application user. No public exploit is identified at time of analysis, but the pattern is closely analogous to prior Spring SpEL injection issues for which weaponized payloads emerged rapidly. |
| Remediation | Upgrade Spring Data MongoDB to a fixed release on your branch - the advisory at https://spring.io/security/cve-2026-41717 should be consulted for the exact patched build, but logically the fixes are above the ranges listed (i.e. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
{, #{, method invocations). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today