CVE-2026-41719
Awaiting Analysis Awaiting Analysis - Queue

SpEL Injection in Spring Data KeyValue

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-41719
EUVD
EUVD-2026-35901

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
vmware spring_data_keyvalue 2.7.0
vmware spring_data_keyvalue 3.0.0
vmware spring_data_keyvalue 3.1.0
vmware spring_data_keyvalue 3.2.0
vmware spring_data_keyvalue 3.3.0
vmware spring_data_keyvalue 3.4.0
vmware spring_data_keyvalue 3.5.0
vmware spring_data_keyvalue 4.0.0
vmware spring_data_redis 2.7.0
vmware spring_data_redis 3.0.0
vmware spring_data_redis 3.1.0
vmware spring_data_redis 3.2.0
vmware spring_data_redis 3.3.0
vmware spring_data_redis 3.4.0
vmware spring_data_redis 3.5.0
vmware spring_data_redis 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-41719 is a SpEL (Spring Expression Language) Injection vulnerability in Spring Data KeyValue's SpelPropertyComparator.

The issue occurs when unsanitized user input is passed as a Sort parameter to a repository query method that uses SpelPropertyComparator for sorting.

The application is vulnerable only if all these conditions are met: the SpelPropertyComparator is used for sorting, the method is exposed to untrusted input (such as through a custom REST endpoint), and unsanitized user input is directly passed to the method.

Affected versions include Spring Data KeyValue from 2.7.0 to 4.0.5 and Spring Data Redis versions that depend on these affected versions.

Impact Analysis

This vulnerability can allow an attacker to inject malicious SpEL expressions through unsanitized user input in sorting parameters.

Successful exploitation could lead to unauthorized data access or manipulation because the injected expressions are evaluated by the SpelPropertyComparator.

The CVSS v3.1 base score of 6.4 indicates a medium severity with high impact on confidentiality, low impact on integrity, and low impact on availability.

Mitigation Strategies

To mitigate the CVE-2026-41719 vulnerability, you should upgrade affected Spring Data KeyValue and Spring Data Redis versions to the fixed releases.

  • Upgrade to version 4.0.6 for the 4.0.x line.
  • Upgrade to version 3.5.12 for the 3.5.x line.
  • Upgrade to version 2.7.20 for the 2.7.x line.

Note that fixes for versions 3.4.x, 3.3.x, and 2.7.x are available only through Enterprise Support.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart