Skip to main content

Spring for Apache Kafka EUVD-2026-35908

| CVE-2026-41731 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-10 security@vmware.com GHSA-xq69-5h5v-x9x4
Deserialization Apache Java
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
HIGH
qualitative
NVD
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:35 vuln.today
CVE Published
Jun 10, 2026 - 00:16 nvd
HIGH 8.1

DescriptionNVD

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.

Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Unsafe deserialization in Spring for Apache Kafka (versions 2.8.0-4.0.5 across multiple branches) allows a malicious Kafka producer to send crafted message headers that cause downstream consumers to instantiate arbitrary JDK types via Jackson. The flaw stems from a prefix-based trusted-packages check in JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper, which silently extends trust to every subpackage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain produce access to target topic
Delivery
Craft header with malicious type FQCN under trusted-package prefix
Exploit
Embed gadget-triggering JSON payload
Execution
Consumer header mapper accepts type
Persist
Jackson deserializes attacker-controlled class
Impact
Gadget chain executes code in consumer JVM
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to produce messages to a Kafka topic that a vulnerable Spring for Apache Kafka consumer reads, with that consumer configured to use JsonKafkaHeaderMapper or DefaultKafkaHeaderMapper for header type mapping. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.1 (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H) reflects an unauthenticated, network-reachable attack with high impact across CIA, mitigated by high attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can publish records to a Kafka topic consumed by a vulnerable Spring application crafts a message header whose declared Java type points to a class in a subpackage of any trusted package (or one matching the prefix), with a JSON value that drives Jackson's default bean deserialization into a gadget chain present on the consumer classpath. When the consumer reads the record, the header mapper accepts the type, Jackson constructs the attacker-chosen object, and side effects of that construction yield arbitrary code execution or sensitive data disclosure in the consumer JVM. …
Remediation Upgrade Spring for Apache Kafka to a fixed release on your branch - consult the Spring advisory at https://spring.io/security/cve-2026-41731 for the exact patched versions, since the input data lists only the vulnerable ranges and a specific fixed build number was not independently confirmed here. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 HOURS: Identify systems running Spring for Apache Kafka versions 2.8.0-4.0.5. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41717 HIGH
8.1 Jun 10

Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
CVE-2026-41732 HIGH
8.1 Jun 10

Insecure deserialization in Spring for Apache Pulsar's JsonPulsarHeaderMapper allows remote attackers to bypass trusted-

Share

EUVD-2026-35908 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy