Home

Description

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-09 | Updated 2026-06-10 | Assigner vmware




HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (Expression Language Injection)

Product status

Default status
unaffected

3.7.0 (custom) before 3.7.20
affected

4.3.0 (custom) before 4.3.17
affected

4.4.0 (custom) before 4.4.15
affected

4.5.0 (custom) before 4.5.12
affected

5.0.0 (custom) before 5.0.6
affected

References

spring.io/security/cve-2026-41729

cve.org (CVE-2026-41729)

nvd.nist.gov (CVE-2026-41729)

Download JSON