MEDIUM 6.4

CVE-2026-41719: Spring Data KeyValue & Redis SpEL Injection

Spring Data KeyValue and Spring Data Redis are widely used libraries for integrating key-value stores with Spring applications. A vulnerability in these libraries allows an attacker with authenticated access to inject malicious SpEL (Spring Expression Language) code through the Sort parameter of repository query methods. When the application passes unsanitized user input to sorting operations, the SpelPropertyComparator evaluates that input as executable code rather than treating it as data. This could allow an authenticated user to read sensitive data, modify application behavior, or degrade system availability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Weaknesses (CWE)
CWE-917
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41719 is a SpEL injection flaw in Spring Data KeyValue and Spring Data Redis. The vulnerability stems from insufficient input validation in the SpelPropertyComparator class, which is used when repository query methods delegate sort operations. When a Sort object containing user-controlled data is passed to a query method without sanitization, the SpEL parser evaluates arbitrary expressions embedded in the sort parameter. Because SpEL provides access to Java object methods, an attacker can craft payloads to invoke arbitrary code execution within the application's JVM context. The vulnerability requires authentication (PR:L in the CVSS vector), meaning the attacker must have valid credentials to the application or API. The complexity is high (AC:H), suggesting exploitation may require specific application configuration or interaction patterns, but the scope remains unchanged and impact includes confidentiality, integrity, and availability concerns.

Business impact

Organizations using affected Spring Data KeyValue or Spring Data Redis versions face a risk of unauthorized data access and potential system compromise by authenticated users or compromised accounts. In multi-tenant environments, this could lead to cross-tenant data leakage. The vulnerability is particularly concerning for applications that accept user-provided sort parameters in public APIs or administrative interfaces. Depending on deployment context, exploitation could enable data exfiltration, modification of application state, or denial of service. However, the requirement for authentication and the high complexity barrier limit the population of viable attackers to those with legitimate system access or valid credentials.

Affected systems

Spring Data KeyValue versions 2.7.0 through 2.7.19, 3.0.0 through 3.0.15, 3.1.0 through 3.1.14, 3.2.0 through 3.2.15, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5 are affected. Spring Data Redis—which shares the vulnerable code path—is affected across the same version ranges. Applications using these libraries are at risk if they accept end-user input for sort operations without additional validation. Both stable and recent versions are affected; patched versions have not yet been provided in the published advisory data, so verification against vendor releases is essential.

Exploitability

Exploitation requires an authenticated user with network access to the application (AV:N). The attacker must craft a malicious Sort parameter and pass it to a repository query method in a way that triggers the vulnerable SpelPropertyComparator. The high complexity factor (AC:H) suggests that successful exploitation may depend on specific application configurations, API design choices, or Java runtime settings. The authentication requirement significantly reduces opportunistic risk, but insider threats, compromised service accounts, or valid users with malicious intent represent realistic attack vectors. Public exploit code or automated scanners are not widely available, which elevates the bar for opportunistic attackers but does not preclude sophisticated adversaries from reverse-engineering payloads. This is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

The primary remediation is to update Spring Data KeyValue and Spring Data Redis to patched versions as released by Broadcom/VMware. Verify the specific patched version numbers against the official Spring Data project releases and security advisories. Until patches are applied, organizations should: (1) restrict access to query APIs that accept user-provided sort parameters, particularly in production environments; (2) implement input validation to reject sort parameters containing suspicious characters or SpEL syntax (brackets, curly braces, hash symbols); (3) use Spring Data query methods that do not expose Sort objects to untrusted input; (4) apply principle of least privilege to service accounts and API credentials to limit blast radius if an account is compromised.

Patch guidance

Monitor the official Broadcom/VMware Spring Data project release notes and security advisories for patched versions addressing CVE-2026-41719. Apply patches promptly to development and staging environments first to validate compatibility with your application. Pay close attention to the affected version ranges (2.7.x, 3.x, and 4.0.x lines) to identify which releases require updates. Test query functionality and sort operations after patching to ensure no regression. Coordinate patch deployment with change management and release schedules to minimize operational disruption. Backports may be available for older stable branches; consult the vendor advisory to determine which version lines will receive updates.

Detection guidance

Monitor application logs for suspicious sort parameters containing SpEL syntax patterns: use cases, hash symbols (#), square brackets, curly braces, or method invocation patterns (e.g., T(java.lang.Runtime)). Implement Web Application Firewall (WAF) rules to block HTTP requests with SpEL injection patterns in query parameters. Use runtime application self-protection (RASP) or Java agents to intercept and log SpEL evaluation attempts. Monitor for unusual CPU or memory spikes that might indicate code execution. In Java applications, enable Spring Security debug logging to capture authentication and authorization events. Review repository query method calls to identify which endpoints accept user-provided Sort objects; those are the highest-risk attack surfaces. Correlate authentication logs with API request patterns to identify potential exploitation attempts by authenticated users.

Why prioritize this

This vulnerability warrants prompt but measured attention. The CVSS score of 6.4 (MEDIUM) reflects material risk to confidentiality and integrity, but the authentication requirement and high complexity barrier reduce immediate exploitation likelihood. Prioritize patching if your organization: uses Spring Data KeyValue or Redis in customer-facing or multi-tenant applications; exposes sort APIs to end-users without additional validation; runs versions 3.x or 4.0.x (more recent, actively used); or operates in regulated industries (finance, healthcare) where data confidentiality is critical. Organizations with mature input validation, strong authentication controls, and network segmentation can afford a measured timeline, but should not defer indefinitely.

Risk score, explained

The CVSS 6.4 score reflects a medium-severity vulnerability with significant but not critical impact. Network accessibility (AV:N) is typical for web and API-based applications. The authentication requirement (PR:L) and high complexity (AC:H) meaningfully reduce the attack surface and likelihood of exploitation compared to an unauthenticated or low-complexity flaw. The impact on confidentiality (HIGH), integrity (LOW), and availability (LOW) indicate that data theft is the primary concern, with secondary risks to system modification or availability. The unchanged scope (S:U) means the vulnerability is confined to the affected component and does not escalate to other systems by design, though downstream impacts depend on application architecture.

Frequently asked questions

Do we need to patch immediately, or can we defer until the next maintenance window?

Deferral is reasonable if: (1) you have network access controls limiting who can reach the application; (2) your application does not expose user-controlled sort parameters to untrusted actors; (3) you have strong authentication and audit logging in place. However, do not defer indefinitely. Schedule patching within your standard maintenance cycle (typically 30–90 days for MEDIUM-severity vulnerabilities) and sooner if you operate in high-security environments or have customer commitments for patched versions.

How do we know if we're using an affected version of Spring Data?

Check your Maven pom.xml, Gradle build.gradle, or application dependency manifest for spring-data-keyvalue or spring-data-redis. The artifact version must fall within the affected ranges: 2.7.0–2.7.19, 3.0.0–3.0.15, 3.1.0–3.1.14, 3.2.0–3.2.15, 3.3.0–3.3.16, 3.4.0–3.4.14, 3.5.0–3.5.11, or 4.0.0–4.0.5. Use your build tool's dependency tree command (mvn dependency:tree or gradle dependencies) to confirm transitive dependencies if Spring Data is pulled in indirectly.

Can we mitigate this without patching?

Yes, partially. If your application constructs Sort objects from hardcoded or internal logic only (never from user input), the risk is eliminated. If you must accept user sort parameters, validate them against a whitelist of allowed property names before passing them to query methods. Disable SpEL expression parsing if your application framework provides that option. Apply network and authentication controls to restrict access to vulnerable endpoints. However, input validation is error-prone, so patching is the recommended long-term fix.

Is this vulnerability being actively exploited?

CVE-2026-41719 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed evidence of in-the-wild exploitation as of the publication date. However, absence from KEV does not guarantee the vulnerability is not being exploited; it reflects CISA's current visibility. Assume sophisticated adversaries may have already reverse-engineered payloads. Prioritize patching based on your risk profile and data sensitivity rather than KEV status alone.

This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. Patch version numbers, KEV status, and vendor advisory details are subject to change and should be verified against official Broadcom/VMware and Spring Data project releases before production deployment. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for decisions made based on it. Organizations are responsible for assessing their own risk posture, testing patches in staging environments, and consulting official vendor documentation. Consult your security team, vendor support, and compliance requirements when planning remediation. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).