Skip to main content

Spring for Apache Pulsar CVE-2026-41732

| EUVD-2026-35909 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-10 security@vmware.com GHSA-gg69-9wwp-6jx2
Deserialization Apache Java
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
HIGH
qualitative
NVD
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:35 vuln.today
CVE Published
Jun 10, 2026 - 00:16 nvd
HIGH 8.1

DescriptionNVD

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.

Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-package controls and potentially trigger arbitrary Java object instantiation through Pulsar message headers. The flaw stems from a prefix-based package match plus an unsafe empty-allow-list default, affecting versions 1.1.0-1.1.17, 1.2.0-1.2.17, and 2.0.0-2.0.5. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain publish access to consumed Pulsar topic
Delivery
Craft message header with malicious type metadata
Exploit
Header bypasses prefix-based trusted-packages check
Execution
Consumer JsonPulsarHeaderMapper deserializes attacker-chosen class
Persist
Gadget chain executes in consumer JVM
Impact
Full compromise of consumer process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a Spring for Apache Pulsar consumer on a vulnerable version (1.1.0-1.1.17, 1.2.0-1.2.17, or 2.0.0-2.0.5) that uses JsonPulsarHeaderMapper to deserialize message headers; (2) the attacker can publish messages to a topic that consumer reads - either directly through Pulsar producer access, via a compromised upstream producer, or because the topic accepts untrusted input; and (3) either trustedPackages is configured with a parent package whose subpackages contain an exploitable class, or trustedPackages is left empty (triggering the unsafe trust-everything fallback). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H signals a network-reachable, unauthenticated path with high attack complexity and full CIA impact on the consumer JVM - typical of a Java deserialization issue that requires the right gadget chain on the consumer's classpath. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to publish to a Pulsar topic consumed by a vulnerable Spring for Apache Pulsar application crafts a message whose header type metadata references a class living under (or prefix-matching) a trusted package, or any class at all if the consumer left trustedPackages empty. When the JsonPulsarHeaderMapper deserializes the header on the consumer JVM, Jackson instantiates the attacker-chosen type, and if a suitable gadget chain exists on the consumer's classpath this can chain into arbitrary code execution in the consumer process. …
Remediation Upgrade Spring for Apache Pulsar to a fixed release on your branch - consult https://spring.io/security/cve-2026-41732 for the exact patched versions, as the input does not enumerate them and they should not be guessed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct comprehensive inventory of production, staging, and development systems using Spring for Apache Pulsar versions 1.1.0-1.1.17, 1.2.0-1.2.17, or 2.0.0-2.0.5 via dependency scanning (Maven, Gradle, SBOMs). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
CVE-2026-41731 HIGH
8.1 Jun 10

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kaf

Share

CVE-2026-41732 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy