Compliance Impact

The vulnerability allows an attacker to execute arbitrary code within the context of the application by exploiting SpEL injection through map-typed properties in JSON Patch requests. This can lead to unauthorized access or manipulation of sensitive data.

Such unauthorized access or data manipulation could potentially result in violations of compliance requirements under standards like GDPR or HIPAA, which mandate strict controls over data confidentiality and integrity.

Therefore, if exploited, this vulnerability may compromise the security controls necessary to maintain compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41729 is a vulnerability in Spring Data REST that allows Spring Expression Language (SpEL) injection through map-typed properties when processing JSON Patch requests.

When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.

This means an attacker can craft a malicious map key in a JSON Patch request that gets evaluated as code, allowing arbitrary code execution within the application context.

To exploit this, the attacker must be able to send PATCH requests to the affected endpoint and the application must expose a Map-typed property accessible via the patch path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary code execution within the context of the affected application.

An attacker exploiting this flaw could potentially execute malicious commands, manipulate data, or compromise the integrity and security of the application.

Since the vulnerability affects both read and write operations in JSON Patch requests, it can be used to alter application behavior or access sensitive information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves SpEL injection through map-typed properties in JSON Patch requests with Content-Type application/json-patch+json. Detection involves monitoring for PATCH requests targeting Spring Data REST endpoints that expose map-typed properties.

Specifically, you can look for suspicious PATCH requests containing JSON Patch payloads where the path segments include unusual or crafted SpEL expressions.

Commands to detect such activity might include using network monitoring tools or web server logs to filter PATCH requests with the specific Content-Type header and inspect the JSON Patch payload for suspicious map keys.

• Using tcpdump or tshark to capture PATCH requests with application/json-patch+json content-type.
• Example tshark command: tshark -Y 'http.request.method == "PATCH" && http.content_type == "application/json-patch+json"' -T fields -e http.file_data
• Using grep or jq on web server logs to find PATCH requests with JSON Patch payloads containing map keys that look like SpEL expressions (e.g., containing #{...} or other suspicious syntax).

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade Spring Data REST to a fixed version that addresses this vulnerability.

• Upgrade to Spring Data REST version 3.7.20 if you are using any version from 3.7.0 through 3.7.19.
• Upgrade to version 4.3.17 if using 4.3.0 through 4.3.16.
• Upgrade to version 4.4.15 if using 4.4.0 through 4.4.14.
• Upgrade to version 4.5.12 if using 4.5.0 through 4.5.11.
• Upgrade to version 5.0.6 if using 5.0.0 through 5.0.5.

Until upgrading is possible, consider restricting access to the affected endpoints to trusted users only and monitoring for suspicious PATCH requests.

Useful 0 Not Useful 0