Skip to main content

Spring Data REST EUVDEUVD-2026-35906

| CVE-2026-41729 HIGH
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-06-10 security@vmware.com GHSA-j388-8rm5-p97f
8.1
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (vmware) · only source for this CVE.

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:34 vuln.today

DescriptionCVE.org

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.

Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

AnalysisAI

Server-Side Expression Language (SpEL) injection in Spring Data REST allows authenticated remote attackers to execute arbitrary expressions by sending JSON Patch requests targeting Map-typed entity properties. Affected versions span 3.7.0 through 5.0.5, and successful exploitation yields high confidentiality and integrity impact (CVSS 8.1). No public exploit identified at time of analysis, but the low attack complexity and network reachability make this a credible threat to any exposed REST repository accepting application/json-patch+json.

Technical ContextAI

Spring Data REST automatically exposes Spring Data repositories as hypermedia-driven HTTP resources and supports JSON Patch (RFC 6902) over the application/json-patch+json content type to mutate persistent entities. When the underlying entity declares a Map-typed property, the framework uses Spring's Expression Language (SpEL) to navigate to the target element, and the JSON Pointer path segment supplied by the client is interpolated directly into the SpEL expression. This matches CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), the same root-cause class behind prior Spring SpEL RCE incidents such as CVE-2022-22963 and CVE-2018-1273, where untrusted input reaches SpEL evaluation without sanitization or use of a restricted SimpleEvaluationContext.

RemediationAI

Upgrade Spring Data REST to a fixed maintenance release above the listed ranges - patch available per vendor advisory at https://spring.io/security/cve-2026-41729; consult that advisory for the exact fixed version corresponding to your branch (3.7.x, 4.3.x, 4.4.x, 4.5.x, or 5.0.x) since no specific fixed version was independently confirmed in the data provided. If patching cannot be done immediately, compensating controls include rejecting or stripping the application/json-patch+json content type at an upstream proxy or WAF for endpoints backed by repositories that expose Map-typed properties (side effect: clients lose JSON Patch semantics and must fall back to PUT/PATCH with merge-patch), restricting REST repository access to authenticated administrative roles only via Spring Security method/URL rules (side effect: breaks any legitimate low-privilege REST API consumers), or refactoring affected entities to remove Map-typed properties from the exposed projection using @RestResource(exported = false) or DTO projections (side effect: API contract change for clients depending on those fields).

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-35906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy