HIGH 8.1

CVE-2026-41729: Spring Data REST SpEL Injection in JSON Patch Requests

Spring Data REST, a popular framework for building REST APIs on top of Spring Data repositories, contains a vulnerability in how it processes JSON Patch requests when entities include Map-type properties. An authenticated attacker can inject malicious SpEL (Spring Expression Language) expressions by crafting a specially formatted JSON Patch request. The framework fails to sanitize the map key derived from the JSON Pointer path, allowing the attacker to execute arbitrary code on the server. This requires valid credentials but no additional user interaction to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-917
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-41729 is a SpEL expression injection vulnerability in Spring Data REST's JSON Patch handler. When processing PATCH requests with Content-Type application/json-patch+json, the framework constructs SpEL expressions to update Map-typed entity properties. The JSON Pointer path segment that identifies the map key is concatenated directly into the SpEL expression without escaping or validation. An attacker with valid authentication can embed SpEL payloads in the path segment to achieve remote code execution. The vulnerability stems from improper trust of user-controlled input in a security-sensitive context (expression language evaluation).

Business impact

Successful exploitation grants an authenticated attacker code execution capabilities within the Spring application's process and security context. This enables data theft, lateral movement within internal systems, denial of service through resource exhaustion, and potential compromise of connected databases or microservices. Organizations using Spring Data REST to expose REST endpoints should assume all authenticated user sessions represent a potential attack vector. If those endpoints handle sensitive data or interconnect critical systems, this vulnerability creates a direct path to those assets.

Affected systems

VMware Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 are vulnerable. The vulnerability only manifests when: (1) JSON Patch requests are accepted (application/json-patch+json content type), and (2) the persistent entity exposes at least one Map-typed property. Applications using Spring Data REST without Map properties, or those that do not expose JSON Patch endpoints, are not affected. Confirm your dependency tree and entity definitions to determine exposure.

Exploitability

The vulnerability requires authentication, which limits the immediate attack surface to valid users or compromised credentials. However, the barrier to exploitation once authenticated is low: a single crafted JSON Patch request with a malicious SpEL expression in the map key is sufficient. No user interaction is required, and no special network positioning is needed—the attacker simply needs network access to the REST endpoint. The attack is deterministic and reliable if the vulnerable code path is reached. This is not listed on the CISA Known Exploited Vulnerabilities catalog as of the last update, but the straightforward nature of the attack suggests rapid weaponization is likely once public details emerge.

Remediation

Upgrade to patched versions of Spring Data REST that sanitize or reject SpEL-like patterns in JSON Patch path segments. Verify against the vendor advisory for the specific patch version for your branch. Additionally, implement input validation at the application level to reject JSON Patch requests containing suspicious characters or patterns in path segments. Consider disabling JSON Patch support entirely if it is not required by your use case. Restrict REST endpoint access via network controls and require strong authentication (multi-factor authentication where feasible) to reduce the likelihood of credential compromise.

Patch guidance

Check the VMware Spring Data REST security advisory for available patches within your supported version branch. Patches are expected for versions 3.7.x, 4.3.x, 4.4.x, 4.5.x, and 5.0.x. Apply patches according to your software release cycle, prioritizing production systems. Coordinate with development teams to validate that patched versions do not introduce breaking changes to your application's REST API consumers. Test JSON Patch functionality after patching to confirm remediation.

Detection guidance

Monitor HTTP PATCH requests to Spring Data REST endpoints with Content-Type application/json-patch+json. Look for JSON Pointer paths that contain SpEL operators or expressions (e.g., T(java.), #, ${}, parentheses, or backticks in the path segment). Implement Web Application Firewall (WAF) rules to block requests matching these patterns. Analyze application logs for exceptions related to SpEL expression evaluation or parsing errors in the JSON Patch handler. A sudden spike in PATCH request errors may indicate active exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention due to its CVSS score of 8.1 (HIGH severity) and the combination of authenticated remote code execution with low exploitation complexity. Although authentication is required, the impact spans confidentiality, integrity, and system availability. Code execution in the application process can compromise downstream systems and data. Organizations should treat this as a priority patch across all affected Spring Data REST deployments, particularly those handling sensitive transactions or data.

Risk score, explained

The CVSS v3.1 score of 8.1 reflects: Network accessibility (AV:N), low attack complexity (AC:L), and requirement for low-level privileges (PR:L). The vulnerability achieves high impact on confidentiality (C:H) and integrity (I:I) with no direct availability impact (A:N), consistent with code execution that does not inherently crash the service. The authentication requirement (PR:L) prevents a score in the Critical range but does not diminish the severity of the threat to authenticated users and system integrity.

Frequently asked questions

Do I need to patch if my Spring Data REST entities don't use Map-typed properties?

No. The vulnerability only manifests when processing JSON Patch requests against Map-typed properties. If your entities use only primitive types, collections of objects, or other non-Map properties, you are not affected by this specific vulnerability. However, verify your entity definitions carefully, as transitive dependencies or composite types may include Map properties unexpectedly.

What is SpEL and why is this dangerous?

SpEL (Spring Expression Language) is a powerful expression evaluation system in Spring that can access Java methods, constructors, and fields at runtime. When untrusted input is embedded into a SpEL expression and evaluated, an attacker can invoke arbitrary Java code—such as loading external classes, executing system commands, or manipulating application state. This vulnerability allows exactly that through JSON Patch paths.

Can I work around this vulnerability without upgrading immediately?

Possible temporary mitigations include: disabling JSON Patch support if not required, restricting PATCH method access via reverse proxy or firewall rules, enforcing strict authentication and authorization policies, and implementing WAF rules to block suspicious path patterns. However, these are not substitutes for patching. Plan an upgrade on your nearest maintenance window.

Does this affect Spring Data JPA or other Spring Data modules?

No. This vulnerability is specific to Spring Data REST's JSON Patch handler. Other Spring Data modules (Spring Data JPA, MongoDB, etc.) are not directly affected unless they are used as a dependency of a vulnerable Spring Data REST instance. Always consult the vendor advisory to confirm the scope of affected components.

This analysis is based on the published CVE description and vendor information available as of the date noted. Security landscapes evolve; consult the official VMware Spring Data REST security advisory and your vendor support channels for the most current patch status, patch verification steps, and version-specific guidance. SEC.co does not warrant the completeness or real-time accuracy of this analysis. Organizations are responsible for validating patch applicability, testing patches in non-production environments, and assessing their own exposure based on their specific infrastructure and application configurations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).