CVE-2026-41696
Received Received - Intake
Regex Injection in Spring Data MongoDB

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41696
EUVD
EUVD-2026-35892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vmware spring_data_mongodb From 3.4.0 (inc) to 5.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41696 is a security vulnerability in Spring Data MongoDB repository query methods that use regex parameter binding with the @Query annotation.

The vulnerability occurs because of insufficient validation of the bound parameter, which allows an attacker to supply a crafted string that breaks out of the intended regular expression quoting.

Impact Analysis

This vulnerability can lead to unauthorized data exposure or bypass of query filters.

The risk is especially significant when the repository is exposed to untrusted sources, such as through Spring Data REST.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade their Spring Data MongoDB versions to the corresponding patched versions that fix the issue.

Applying the necessary updates will address the insufficient validation of regex parameter binding in repository query methods annotated with @Query.

Compliance Impact

This vulnerability can lead to unauthorized data exposure or bypass of query filters when the repository is exposed to untrusted sources. Such unauthorized data exposure may result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal or health information.

Organizations using affected versions of Spring Data MongoDB should upgrade to patched versions to mitigate the risk and maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41696. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart