Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (vmware) · only source for this CVE.
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.
Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
AnalysisAI
Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.
Technical ContextAI
Spring Data REST automatically exposes Spring Data repositories as hypermedia-driven HTTP resources and supports JSON Patch (RFC 6902) over the application/json-patch+json content type to mutate persistent entities. When the underlying entity declares a Map-typed property, the framework uses Spring's Expression Language (SpEL) to navigate to the target element, and the JSON Pointer path segment supplied by the client is interpolated directly into the SpEL expression. This matches CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), the same root-cause class behind prior Spring SpEL RCE incidents such as CVE-2022-22963 and CVE-2018-1273, where untrusted input reaches SpEL evaluation without sanitization or use of a restricted SimpleEvaluationContext.
RemediationAI
Upgrade Spring Data REST to a fixed maintenance release above the listed ranges - patch available per vendor advisory at https://spring.io/security/cve-2026-41729; consult that advisory for the exact fixed version corresponding to your branch (3.7.x, 4.3.x, 4.4.x, 4.5.x, or 5.0.x) since no specific fixed version was independently confirmed in the data provided. If patching cannot be done immediately, compensating controls include rejecting or stripping the application/json-patch+json content type at an upstream proxy or WAF for endpoints backed by repositories that expose Map-typed properties (side effect: clients lose JSON Patch semantics and must fall back to PUT/PATCH with merge-patch), restricting REST repository access to authenticated administrative roles only via Spring Security method/URL rules (side effect: breaks any legitimate low-privilege REST API consumers), or refactoring affected entities to remove Map-typed properties from the exposed projection using @RestResource(exported = false) or DTO projections (side effect: API contract change for clients depending on those fields).
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35906
GHSA-j388-8rm5-p97f