CVE-2026-41717
Received Received - Intake
SpEL Expression Injection in Spring Data MongoDB

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41717
EUVD
EUVD-2026-35900
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
spring datamongodb From 3.4.0 (inc) to 5.0.5 (inc)
spring datamongodb From 4.5.0 (inc) to 4.5.11 (inc)
spring datamongodb From 4.4.0 (inc) to 4.4.14 (inc)
spring datamongodb From 4.3.0 (inc) to 4.3.16 (inc)
spring datamongodb From 4.2.0 (inc) to 4.2.15 (inc)
spring datamongodb From 4.1.0 (inc) to 4.1.14 (inc)
spring datamongodb From 4.0.0 (inc) to 4.0.15 (inc)
spring datamongodb From 3.4.0 (inc) to 3.4.19 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41717 is a SpEL (Spring Expression Language) expression injection vulnerability found in Spring Data MongoDB.

The vulnerability occurs when a user-defined repository query method is annotated with @Query and uses a capture-all placeholder, such as @Query("?0") or @Query(":#{?0}").

If the application defines such a method, exposes it to untrusted input (for example, through Spring Data REST or a custom web endpoint), and passes unsanitized user input directly to this method, it becomes vulnerable to expression injection attacks.

Impact Analysis

This vulnerability has a high severity rating with a CVSS base score of 8.1, indicating it can have a significant impact.

An attacker can exploit this vulnerability to inject malicious SpEL expressions, potentially leading to unauthorized data access, data manipulation, or other harmful actions within the application.

Because it affects confidentiality, integrity, and availability (C:H/I:H/A:H), the impact can include data breaches, corruption, or denial of service.

Detection Guidance

This vulnerability occurs when a user-defined repository query method in Spring Data MongoDB is annotated with @Query and uses a capture-all placeholder, and the method is exposed to unsanitized user input. Detection involves identifying such methods in your codebase and checking if they are exposed to untrusted input.

There are no specific network or system commands provided to detect this vulnerability directly.

To detect potential exploitation, you can review your application source code for @Query or @Aggregation annotations with capture-all placeholders (e.g., @Query("?0") or @Query(":#{?0}")) and verify if these methods are reachable from external inputs.

Mitigation Strategies

The primary mitigation step is to upgrade Spring Data MongoDB to a fixed version that addresses this vulnerability.

Additionally, ensure that any repository query methods annotated with @Query or @Aggregation do not accept unsanitized user input, especially if they use capture-all placeholders.

Restrict or validate inputs to these methods and avoid exposing them directly to untrusted sources such as Spring Data REST or custom web endpoints.

Compliance Impact

This vulnerability allows injection of malicious Spring Expression Language (SpEL) expressions through unsanitized user input in certain query methods. Such an injection can lead to unauthorized data access, modification, or deletion, which may result in breaches of confidentiality, integrity, and availability of sensitive data.

Because of the potential for unauthorized access and manipulation of data, organizations using affected versions of Spring Data MongoDB without proper mitigation may risk non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal and sensitive health information.

To maintain compliance, affected users should upgrade to fixed versions and ensure that user inputs are properly sanitized and validated to prevent exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart