EUVD-2026-35901
GHSA-xg2j-3hj6-pc24
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionNVD
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.
Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
AnalysisAI
SpEL (Spring Expression Language) injection in Spring Data KeyValue and Spring Data Redis allows a network-accessible, low-privileged attacker to execute arbitrary SpEL expressions when applications pass unsanitized user-controlled Sort parameters directly to repository query methods delegating to SpelPropertyComparator. Affected versions span eight major release lines from 2.7.x through 4.0.x, making the exposure surface broad across Spring-based Java ecosystems. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability requires that three specific conditions hold simultaneously: (1) the application uses Spring Data KeyValue or Spring Data Redis in one of the affected version ranges; (2) at least one repository query method accepts a Sort parameter that is constructed from user-controlled input without sanitization or allowlisting; and (3) that query path delegates comparison to SpelPropertyComparator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 6.4 (Medium) is shaped significantly by AC:H (High Attack Complexity) and PR:L (Low Privilege Required), both of which suppress what would otherwise be a critical-tier finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid low-privilege account submits a crafted HTTP request to an application endpoint (e.g., a paginated search or list API) where the sort query parameter is deserialized into a Spring Data Sort object and passed without validation to a KeyValue or Redis repository query method. The Sort value contains an injected SpEL expression such as a method invocation against a sensitive Spring bean or a file-system read; SpelPropertyComparator evaluates this expression during comparison, returning sensitive data in the response or triggering a side effect. … |
| Remediation | Upgrade to a fixed version of Spring Data KeyValue or Spring Data Redis as documented in the vendor advisory at https://spring.io/security/cve-2026-41719. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today