CVE-2026-41732
Received Received - Intake
JsonPulsarHeaderMapper Package Trust Bypass in Spring for Apache Pulsar

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41732
EUVD
EUVD-2026-35909
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_for_apache_pulsar From 2.0.0 (inc) to 2.0.5 (inc)
vmware spring_for_apache_pulsar From 1.2.0 (inc) to 1.2.17 (inc)
vmware spring_for_apache_pulsar From 1.1.0 (inc) to 1.1.17 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41732 is a vulnerability in Spring for Apache Pulsar where the JsonPulsarHeaderMapper matches type headers against trusted packages using a prefix check. This means that if a package is trusted, all its subpackages are implicitly trusted as well.

Additionally, if the trusted-packages configuration is left empty, it defaults to trusting all packages instead of applying a safe default allow-list. This broad trust combined with Jackson's default bean deserialization allows a malicious producer to craft header values that can deserialize arbitrary JDK classes, potentially causing harmful side effects such as allocating file descriptors or spawning thread pools.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to exploit the deserialization process to execute arbitrary code or cause resource exhaustion on the affected system.

  • Execution of arbitrary JDK classes with side effects.
  • Potential allocation of file descriptors.
  • Spawning of thread pools or other resource-intensive operations.

Such impacts can lead to denial of service, system instability, or unauthorized actions on the system running Spring for Apache Pulsar.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Spring for Apache Pulsar to the fixed versions.

  • Upgrade to version 2.0.6 (OSS) or 2.0.5.1 (Commercial) for the 2.0.x series.
  • Upgrade to version 1.2.18 (OSS) or 1.2.17.1 (Commercial) for the 1.2.x series.
  • Upgrade to version 1.1.18 (Commercial) for the 1.1.x series.

No further mitigation is required after upgrading.

Compliance Impact

The vulnerability in JsonPulsarHeaderMapper allows malicious producers to craft header values that can deserialize arbitrary JDK classes, potentially leading to unauthorized code execution or resource allocation. This security flaw could result in unauthorized access or manipulation of data, which may impact compliance with data protection standards such as GDPR or HIPAA that require strict controls over data integrity and confidentiality.

Because the vulnerability enables potentially harmful deserialization attacks, organizations using affected versions of Spring for Apache Pulsar might face increased risk of data breaches or system compromise, which are critical concerns under regulations like GDPR and HIPAA.

Upgrading to the fixed versions is recommended to mitigate these risks and maintain compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart