Skip to main content

Spring Kafka CVE-2026-41727

| EUVD-2026-35904 MEDIUM
Improper Input Validation (CWE-20)
2026-06-10 security@vmware.com GHSA-53w6-v7cv-fc9h
Information Disclosure Apache Java
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:44 vuln.today
CVE Published
Jun 10, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionNVD

Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.

Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

AnalysisAI

Improper input validation in Spring for Apache Kafka's non-blocking retry topic infrastructure allows an authenticated network producer to disrupt message processing availability across multiple major version lines. By injecting a crafted retry_topic-attempts header with an out-of-range integer value, an attacker causes the retry topic router to misidentify the message's position in the retry sequence, producing high availability impact (A:H per CVSS). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Kafka producer credentials
Delivery
Identify topic consumed by Spring Kafka app with retry topic infrastructure
Exploit
Craft message with out-of-range retry_topic-attempts header
Execution
Publish crafted record to target topic
Persist
Retry router misidentifies retry sequence position
Impact
Message processing pipeline availability disrupted
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete conditions to be simultaneously true: (1) the target Spring Kafka application must be configured to use the non-blocking retry topic infrastructure, specifically via `@RetryableTopic` annotation or programmatic `RetryTopicConfiguration` - applications using only blocking retry or no retry logic are not affected; (2) the attacker must hold low-privilege Kafka producer credentials (PR:L per CVSS vector) with WRITE permission to a topic consumed by the vulnerable application - unauthenticated or anonymous producers cannot exploit this; and (3) the attacker must be able to set arbitrary Kafka message headers, which is standard behavior for any authenticated Kafka producer client. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates a network-exploitable denial-of-availability condition requiring only low-privilege authentication with low attack complexity and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege Kafka producer credentials - such as a compromised internal service account or a malicious tenant in a multi-tenant Kafka cluster - publishes a message to a topic consumed by a Spring Kafka application that has non-blocking retry topic infrastructure enabled. The message carries a crafted `retry_topic-attempts` header set to a large out-of-range integer, causing the retry topic router to misidentify the message's position in the retry sequence and misroute or indefinitely loop it, degrading or halting message processing for that topic. …
Remediation Consult the vendor advisory at https://spring.io/security/cve-2026-41727 for exact patched release versions across each affected branch (4.0.x, 3.3.x, 3.2.x, 2.9.x, 2.8.x); specific fix versions were not present in the provided data and upgrading to the next available release above the affected range for each branch is the primary recommended action. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
CVE-2026-41732 HIGH
8.1 Jun 10

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-

Share

CVE-2026-41727 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy