Skip to main content

baomidou dynamic-datasource CVE-2026-7045

| EUVDEUVD-2026-25722 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-04-26 VulDB
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 26, 2026 - 22:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 26, 2026 - 14:15 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 14:00 euvd
EUVD-2026-25722
Analysis Generated
Apr 26, 2026 - 14:00 vuln.today
Patch released
Apr 26, 2026 - 14:00 nvd
Patch available
CVE Published
Apr 26, 2026 - 13:45 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 64 maven packages depend on com.baomidou:dynamic-datasource-spring (1 direct, 63 indirect)

Ecosystem-wide dependent count for version 4.5.0.

DescriptionCVE.org

A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by this vulnerability is the function DsSpelExpressionProcessor#doDetermineDatasource of the file dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java of the component StandardEvaluationContext/SpelExpressionParser. This manipulation causes injection. The attack may be initiated remotely. Patch name: 273fcedaee984c08197c0890f14190b86ab7e0b8. It is recommended to apply a patch to fix this issue.

AnalysisAI

SpEL expression injection in baomidou dynamic-datasource 2.5.0 allows authenticated remote attackers to execute arbitrary code via the DsSpelExpressionProcessor component. The vulnerability stems from unsafe evaluation of Spring Expression Language (SpEL) in datasource routing logic, enabling attackers with application access to inject malicious expressions that execute with application privileges. No public exploit code or active exploitation has been identified at time of analysis, though upstream fix is available.

Technical ContextAI

baomidou dynamic-datasource is a Java library that provides dynamic database routing for Spring applications using SpEL expressions to determine the target datasource at runtime. The vulnerability exists in the DsSpelExpressionProcessor class, which uses Spring's StandardEvaluationContext and SpelExpressionParser to evaluate user-controlled or attacker-influenced expressions without sufficient sanitization. SpEL (Spring Expression Language) is a powerful templating language that, when evaluated on untrusted input, can be leveraged for arbitrary code execution through method invocation, class instantiation, and property access. This is a classic instantiation of CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), where unsanitized input flows directly into a code evaluation context.

RemediationAI

Apply the upstream patch released by baomidou via the commit 273fcedaee984c08197c0890f14190b86ab7e0b8 (GitHub pull request #767). Users should upgrade to a version that includes this commit, which is available from the baomidou/dynamic-datasource GitHub repository (https://github.com/baomidou/dynamic-datasource). If an immediate upgrade is not feasible, restrict application access to trusted users only and disable dynamic datasource routing features that rely on user-supplied SpEL expressions. Additionally, implement input validation and whitelisting for any datasource selection criteria before they are passed to the SpEL evaluator. Monitor application logs for suspicious SpEL expressions or unexpected datasource routing behavior. Contact baomidou maintainers or check GitHub releases for the specific patched version number, as the remediation data does not specify the exact release version containing the fix.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-7045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy