HIGH 8.1

CVE-2026-41717: Spring Data MongoDB SpEL Injection Remote Code Execution

Spring Data MongoDB has a vulnerability where specially crafted database queries can execute arbitrary code on your application server. This happens when developers use the @Query annotation with certain placeholder patterns in their custom repository methods. An attacker who can influence the query parameters—either through application input or by compromising a data source—can inject malicious expressions that the framework will execute with your application's privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-917
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41717 is a SpEL (Spring Expression Language) injection vulnerability in Spring Data MongoDB's parameter binding mechanism. When a repository method is annotated with @Query and uses a capture-all placeholder, user-supplied input bound to that placeholder is evaluated as a SpEL expression rather than treated as literal data. This occurs across Spring Data MongoDB versions 3.4.0 through 5.0.5, allowing unauthenticated remote code execution in affected deployments. The vulnerability stems from unsafe expression evaluation during query construction and does not require prior authentication or special database access.

Business impact

Successful exploitation enables remote code execution within your application's JVM process. An attacker can read sensitive files, modify or delete database records, pivot to internal systems, establish persistence, or exfiltrate data. The impact extends beyond MongoDB; compromised applications become entry points for lateral movement within your infrastructure. Organizations relying on Spring Data MongoDB for data access are at risk unless running patched versions, particularly those processing untrusted input in query parameters or accepting externalized configuration.

Affected systems

VMware Spring Data MongoDB versions 3.4.0 through 5.0.5 are affected, spanning multiple maintenance branches. Organizations should inventory applications using Spring Data MongoDB and determine which versions are in use. This includes monolithic applications and microservices that depend on spring-data-mongodb as a transitive dependency. The vulnerability is only present in applications that (1) use @Query-annotated repository methods, and (2) pass user-controlled or external input to parameters bound by capture-all placeholders.

Exploitability

The vulnerability requires network access to the application (AV:N) but has high complexity (AC:H), suggesting barriers to exploitation such as application-specific input validation or filtering, though reliable exploitation techniques likely exist for many real-world configurations. No authentication is required (PR:N), and the attack does not depend on user interaction (UI:N). The complexity modifier suggests that exploitation depends on understanding the specific query structure and parameter binding in the target application, but once understood, it is reliably exploitable. No public exploit code or active exploitation has been documented at this time, though the attack surface is broad given the prevalence of Spring Data MongoDB in enterprise Java applications.

Remediation

Apply vendor security patches immediately. VMware will provide fixed versions for all affected release lines. Verify the exact patched version numbers in the official Spring Data MongoDB security advisory before deploying. In parallel, implement input validation and parameterization best practices: avoid dynamic query construction, use named parameters where possible, and treat all external input as untrusted. If you cannot patch immediately, disable or restrict access to affected repository methods and review logs for suspicious query patterns.

Patch guidance

Consult the official VMware/Pivotal Spring Data MongoDB security advisory for exact patched version numbers for each affected branch (3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x). Update spring-data-mongodb in your dependency management (Maven, Gradle) and perform full regression testing before production deployment. Spring Data MongoDB updates may be included in Spring Boot Bill of Materials (BOM) or Spring Cloud releases, so check your transitive dependencies. Prioritize patching applications in internet-facing or network-accessible tiers first.

Detection guidance

Search your codebase for @Query annotations combined with placeholder syntax, particularly capture-all patterns. Enable SpEL expression evaluation logging in Spring Data MongoDB if available. Monitor application logs for unusual SpEL expressions in query parameters—look for `T(`, `java.lang`, or system property access patterns in request logs. In network monitoring, watch for HTTP requests with encoded SpEL payloads (e.g., %7B%23 for {#). Database query logs may reveal suspicious query structures if expressions are evaluated before transmission. Correlate timing of unexpected code execution or system commands with inbound queries to affected repository methods.

Why prioritize this

CVE-2026-41717 merits immediate remediation due to its combination of high severity (CVSS 8.1), unauthenticated remote code execution, and broad applicability across Spring Data MongoDB user base. The vulnerability affects core data access patterns in Java applications and is not a niche edge case. Although exploit complexity is rated high, the control necessary to construct exploitation is within reach of skilled attackers with network access. Organizations should treat this as a critical patch for any internet-facing or internally-accessed applications using affected versions.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects unauthenticated remote access (AV:N, PR:N, UI:N) resulting in confidentiality, integrity, and availability compromise (C:H, I:H, A:H). The AC:H (High Complexity) modifier acknowledges that exploitation requires specific application configuration (use of @Query with capture-all placeholders) and possibly application-level validation bypass, but this does not significantly reduce the overall risk in environments where Spring Data MongoDB is heavily used with custom query methods. The unchanged (U) scope assumption indicates the impact is confined to the affected application itself.

Frequently asked questions

Does this vulnerability affect Spring Data JPA or other Spring Data modules?

No. CVE-2026-41717 is specific to Spring Data MongoDB's parameter binding implementation. Spring Data JPA and other modules use different mechanisms and are not affected by this vulnerability, though organizations should verify their own Spring Data versions against official advisories.

If our applications don't use @Query annotations, are we safe?

If your code does not use @Query-annotated repository methods, the attack vector does not apply. However, review your codebase comprehensively—custom repositories, framework auto-configuration, or abstraction layers may use @Query implicitly. When in doubt, apply the patch.

Can a database administrator or legitimate application user exploit this?

Yes. The vulnerability does not require special database privileges. Any entity that can influence query parameters—including authenticated application users, external API callers, or compromised frontend applications—can potentially inject SpEL expressions if the vulnerable code path is exposed.

What is the difference between HIGH complexity (AC:H) and CRITICAL severity?

The AC:H rating means exploitation requires specific conditions or knowledge of the application's query structure, but once those conditions are met, the attacker gains full code execution. It is not a CRITICAL score because reliable weaponization is not trivial for all deployments, but the severity of impact (remote code execution) remains very high and should be treated as urgent.

This analysis is based on publicly available information as of the publication date. Security patches and affected version lists are subject to change; verify all version numbers and patch availability against official VMware/Pivotal Spring Data MongoDB security advisories before deployment. This explainer does not constitute professional security advice; consult your security team and conduct risk assessment appropriate to your environment. No exploit code or weaponized proof-of-concept is provided. SEC.co does not warrant the completeness or accuracy of this analysis for any specific deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).