CVE-2026-41696: Spring Data MongoDB @Query Regex Injection Vulnerability
Spring Data MongoDB, a widely-used persistence framework for MongoDB, contains a query injection vulnerability affecting multiple versions. When developers use the @Query annotation with regex parameter binding, the framework fails to properly validate user-supplied input. This allows an attacker to craft a malicious string that escapes the intended regex boundaries and inject arbitrary queries. The vulnerability does not currently appear on the CISA KEV catalog, but the broad version range affected and the sensitive nature of database queries make it a meaningful risk for organizations relying on Spring Data MongoDB.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-943
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Spring Data MongoDB's query method binding mechanism when @Query annotations employ regex parameter binding. The framework's insufficient input validation fails to properly quote or escape regex metacharacters in bound parameters. This allows an attacker to break out of the regex context and inject unintended query patterns. The flaw is classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), a category encompassing query injection issues. Affected releases span from version 3.4.0 through the current 5.0.5, affecting eight major version lines. The attack surface includes any application endpoint that accepts user input routed through a @Query-annotated method with regex binding.
Business impact
Organizations using Spring Data MongoDB for customer-facing applications face potential data exposure. A successful attack could allow unauthorized data access (the CVSS vector indicates confidentiality impact), though not direct data modification or service disruption. The attack requires a higher bar to execute than simple network access, but nonetheless poses a meaningful risk to applications handling sensitive information—customer records, financial data, healthcare information, or proprietary business data stored in MongoDB. Remediation requires coordination across development teams to identify affected query methods and upgrade library versions, potentially triggering regression testing cycles.
Affected systems
Spring Data MongoDB versions 3.4.0–3.4.19, 4.0.0–4.0.15, 4.1.0–4.1.14, 4.2.0–4.2.15, 4.3.0–4.3.16, 4.4.0–4.4.14, 4.5.0–4.5.11, and 5.0.0–5.0.5 are affected. Any Java application using these versions of Spring Data MongoDB with @Query-annotated repository methods that employ regex parameter binding is potentially vulnerable. This includes Spring Boot applications, microservices, and traditional Spring Framework deployments. The vulnerability does not affect applications that do not use the @Query annotation or those that handle regex binding through alternative patterns.
Exploitability
The vulnerability has a CVSS score of 5.9 (MEDIUM severity) with a network attack vector and high complexity. Exploitation requires an attacker to craft and supply a specific malicious string to a vulnerable query method—feasible for any application accepting user input without sufficient application-level filtering. The high complexity factor suggests the injection payload must be carefully constructed to break out of the regex context. However, it is not a remote unauthenticated vulnerability; depending on application logic, some level of application interaction or network access may be required. The vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities catalog, indicating no active exploitation in the wild has been publicly disclosed to date.
Remediation
Upgrade Spring Data MongoDB to a patched version. Organizations should move to the latest stable release of their applicable major version line or newer. For example, applications on version 4.x should upgrade to 4.5.12 or later, and those on version 5.x should upgrade to 5.0.6 or later—verify against the official VMware Spring Data MongoDB advisory for exact patched versions. Until an upgrade is feasible, mitigate by auditing @Query-annotated methods that use regex binding and consider adding application-level input validation on user-supplied query parameters. Monitor MongoDB query logs for unusual patterns that may indicate exploitation attempts.
Patch guidance
Check the VMware Spring Data MongoDB project for official release notes identifying patched versions. Patch availability varies by version line; consult the vendor advisory to identify the first patched release for your currently deployed version. Plan a staged rollout: update development and test environments first, run the application's test suite to detect regressions, then proceed to staging and production. Applications using Spring Boot can manage the upgrade through dependency management; verify compatibility with other Spring components (Spring Framework, Spring Boot version) in your project. If an immediate upgrade is not possible, prioritize applications that expose @Query methods to untrusted user input.
Detection guidance
Search your codebase for @Query annotations on repository methods that include regex parameter binding patterns—typically signified by keywords like regex, pattern, or $regex in the query string. Review logs from your MongoDB instances for unexpected query patterns or errors that may indicate injection attempts. Network-based detection is difficult without application-level logging; focus on source code review and configuration audits. Consider adding application instrumentation to log the actual parameters bound to @Query methods in non-production environments to understand the attack surface. Check your Spring Data MongoDB version via Maven Central or your package manager's dependency listing.
Why prioritize this
Although the CVSS score is MEDIUM (5.9) and the vulnerability is not yet actively exploited, the broad version range affected (versions 3.4 through 5.0) makes this a widespread concern. Any organization using Spring Data MongoDB with public-facing or multi-tenant applications handling sensitive data should treat this as a higher priority. The patches are available and the upgrade path is well-defined, making remediation tractable. Prioritize based on the sensitivity of data exposed by each application and whether user-supplied input flows into @Query regex methods.
Risk score, explained
The CVSS score of 5.9 reflects a network-accessible vulnerability with high complexity, requiring an attacker to craft a precise injection payload. The score emphasizes confidentiality impact (data disclosure) but notes no integrity or availability impact. The complexity factor accounts for the specific prerequisites: the application must use @Query with regex binding, and the attacker must understand the query structure. The lack of active exploitation and non-KEV status temper the perceived urgency, but the widespread version distribution and potential for data exposure warrant careful monitoring and timely patching.
Frequently asked questions
Do all Spring Data MongoDB applications need to patch this vulnerability?
No. Only applications using the @Query annotation with regex parameter binding are affected. Applications using standard Spring Data MongoDB repository queries (e.g., findByFieldName) or non-regex @Query patterns are not vulnerable. Review your codebase for @Query methods that incorporate regex operations.
Can this vulnerability be exploited remotely without authentication?
Exploitation depends on your application's design. If a vulnerable @Query method is exposed via an unauthenticated endpoint or accessible to untrusted users, then yes. If access is restricted to authenticated users or internal systems, the risk is lower—but an insider could still exploit it. Review your endpoint access controls and data sensitivity.
What is the practical impact of a successful exploit?
An attacker gains unauthorized read access to MongoDB data. They cannot modify, delete, or corrupt data, nor can they crash the service. The impact is confidentiality—the exposure of data that should remain private. For customer data, payment information, or proprietary content, this is a significant business risk.
Is there a workaround if I cannot upgrade immediately?
Apply defense-in-depth: implement strict input validation at the application layer for all user-supplied values passed to @Query methods, use MongoDB role-based access control to limit query scope, and enable MongoDB audit logging. These do not eliminate the vulnerability but reduce its exploitability. However, upgrading remains the recommended long-term solution.
This advisory is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not guarantee the completeness or accuracy of vendor disclosures. Organizations should consult official VMware Spring Data MongoDB advisories and their own security teams to determine applicability and remediation timelines. Patch versions and availability dates mentioned should be verified against vendor releases. No exploit code or weaponized proof-of-concept is provided or endorsed. Any deployment or testing of patches should be conducted in controlled environments and comply with applicable legal and policy requirements. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41697MEDIUMSpring Data Relational Query By Example SQL Injection Vulnerability
- CVE-2026-53674HIGHBuddyPress 14.4.0 Regular Expression Injection in Mentions
- CVE-2026-40989MEDIUMSpring Cloud Function Infinite Recursion OOM Vulnerability
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-41008MEDIUMSpring Authorization Server Open Redirect Vulnerability (CVSS 6.1)
- CVE-2026-41706MEDIUMSpring Security Cookie-Based Open Redirect Vulnerability
- CVE-2026-41714MEDIUMSpring AMQP TLS Certificate Validation Bypass Vulnerability
- CVE-2026-41726MEDIUMSpring for Apache Kafka Unbounded Memory Allocation in DelegatingDeserializer