Home

Description

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-09 | Updated 2026-06-10 | Assigner vmware




HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

Default status
unaffected

4.0.0 (custom) before 4.0.6
affected

3.3.0 (custom) before 3.3.16
affected

3.2.0 (custom) before 3.2.14
affected

2.9.0 (custom) before 2.9.14
affected

2.8.0 (custom) before 2.8.12
affected

References

spring.io/security/cve-2026-41731

cve.org (CVE-2026-41731)

nvd.nist.gov (CVE-2026-41731)

Download JSON