CVE-2026-41731: Spring for Apache Kafka Header Deserialization RCE (CVSS 8.1)
Spring for Apache Kafka contains a flaw in how it validates trusted message header types. When a developer trusts a package for deserialization, the framework actually trusts that entire package and all of its subpackages. An attacker who can produce Kafka messages can exploit this overly broad trust to craft malicious header values that force the consumer to deserialize and instantiate arbitrary JDK classes. Combined with Jackson's default deserialization behavior, this can lead to remote code execution on systems processing the poisoned messages.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41731 stems from a prefix-based type matching vulnerability in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper. When a trusted package list is configured, the framework performs only a prefix match rather than an exact package validation. This means specifying 'com.example' as trusted automatically trusts 'com.example.evil' and all deeper subpackages. A malicious producer can embed crafted header values containing serialized references to arbitrary JDK types (e.g., ProcessBuilder, Runtime). Upon consumption, Jackson's default bean deserialization behavior instantiates these objects, leading to code execution in the consumer process. The vulnerability affects multiple release lines of Spring for Apache Kafka across versions 2.8.x through 4.0.x.
Business impact
Organizations relying on Spring for Apache Kafka in production environments face direct remote code execution risk. Kafka brokers often sit in trusted network zones and process messages from producers that may be compromised or untrusted. A successful exploit grants an attacker code execution with the privileges of the consumer application, potentially enabling data exfiltration, lateral movement, or infrastructure takeover. Financial services, e-commerce platforms, and any entity using Kafka for event-driven architectures with external or semi-trusted producers are at elevated risk. The issue is particularly severe in multi-tenant or hybrid cloud deployments.
Affected systems
Spring for Apache Kafka versions 2.8.0–2.8.11, 2.9.0–2.9.13, 3.2.0–3.2.13, 3.3.0–3.3.15, and 4.0.0–4.0.5 are affected. VMware Spring for Apache Kafka, Red Hat Fuse, and Red Hat JBoss Enterprise Application Platform Expansion Pack are confirmed affected products. Any application using these libraries for Kafka header deserialization is potentially vulnerable. The impact is highest in deployments where producers are external, untrusted, or operate in different security domains from consumers.
Exploitability
Exploitation requires network access to the Kafka broker and the ability to produce messages with crafted headers. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects remote network exploitability with high complexity, likely due to the need for precise header construction and understanding of the consumer's trusted package configuration. However, once these details are known or inferred, reliable exploitation is feasible. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time, but this should not reduce priority given the severity and network-accessible attack surface.
Remediation
Apply vendor-provided patches immediately. Upgrade to patched versions above the affected ranges: 2.8.12 or later (2.8.x line), 2.9.14 or later (2.9.x line), 3.2.14 or later (3.2.x line), 3.3.16 or later (3.3.x line), or 4.0.6 or later (4.0.x line). Verify patch availability and compatibility against VMware, Red Hat, and upstream Spring release notes. As a temporary measure, restrict Kafka broker network access to known, trusted producers and apply strict authentication and authorization policies. Audit and minimize trusted package configurations to only genuinely necessary namespaces rather than broad parent packages.
Patch guidance
Priority should be given to patching systems running 4.0.x and 3.3.x lines first, as these are the most recent and likely in active deployments. Older 2.8.x and 2.9.x lines should follow immediately after. Test patches in a staging environment before production rollout to verify compatibility with custom header handling or Jackson configurations. Coordinate with Red Hat subscription customers to receive patches via their normal maintenance channels; VMware customers should consult VMware Security Advisory resources. After patching, redeploy consumer applications to ensure the patched library is in use.
Detection guidance
Monitor Kafka consumer logs for deserialization errors or exceptions referencing unexpected JDK class instantiation (e.g., ProcessBuilder, Runtime, or other potentially dangerous classes). Enable Jackson deserialization auditing if available in your deployment. Use network detection to identify anomalous Kafka producer behavior or unexpected message origins. Review consumer application configurations to identify and audit trusted package lists—remove overly permissive wildcard or parent-package entries. Consider implementing message schema validation upstream of deserialization to reject unexpected header structures. Runtime application self-protection (RASP) or Java deserialization filters can provide an additional layer of defense.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score (8.1), remote exploitability, and direct path to code execution. The flaw is architectural in nature—prefix-based trust is a fundamental validation error—making it unlikely to be a minor oversight. Organizations must prioritize patch deployment within their change management process, ideally within days rather than weeks. The lack of KEV listing does not diminish urgency; this is a critical control plane vulnerability in a widely deployed framework.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects: (1) Network-accessible attack vector (AV:N) with no authentication required (PR:N), (2) High complexity (AC:H), likely due to the need for precise header crafting and pre-knowledge of trusted package configurations, (3) High impact across confidentiality, integrity, and availability (C:H/I:H/A:H) through unauthenticated remote code execution. The severity is tempered only by attack complexity; in practice, once an attacker understands the target's configuration, exploitation becomes straightforward.
Frequently asked questions
Can this vulnerability be exploited if I do not explicitly configure trusted packages?
Yes. Spring for Apache Kafka may have default trusted packages configured, and the prefix-matching flaw applies regardless. You should audit your configuration to identify all trusted packages and consider restricting them to only essential namespaces. Verify your Spring configuration and consult vendor advisories for default settings in your version.
Does this affect Kafka brokers themselves, or only consumers?
The vulnerability affects Kafka consumer applications that use JsonKafkaHeaderMapper or DefaultKafkaHeaderMapper for header deserialization. Kafka brokers are not directly exploitable unless they are also running consumer code. However, a compromised consumer can be a staging point for lateral movement within your infrastructure.
Are there runtime mitigations before I can patch?
Yes. Restrict network access to your Kafka brokers to only trusted producers. Implement strict authentication (SASL/SSL) and authorization policies. Audit and tighten your trusted package configurations to exclude broad parent packages. Additionally, consider deploying Java deserialization filters or RASP tools that can block instantiation of dangerous classes. These are temporary measures and should not delay patching.
How do I verify that my systems are patched?
Check the version of spring-kafka (or spring-cloud-stream-binder-kafka if using Spring Cloud) in your deployed artifacts. Compare against the patched version thresholds for your release line (e.g., 4.0.6+, 3.3.16+). Use your build and dependency scanning tools to confirm the patched version is in use in production. Test the patch in a non-production environment first to ensure compatibility.
This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. It is not a substitute for official vendor advisories, security bulletins, or legal guidance. Verify all patch version numbers and affected product lists against official VMware, Red Hat, and Spring Project security releases before deploying patches. Test patches in a non-production environment prior to production deployment. The absence of a CVE from the CISA Known Exploited Vulnerabilities catalog does not indicate low risk; prioritize remediation based on CVSS score, exploitability factors, and your organization's exposure. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-40993HIGHSpring Security SAML Metadata Deserialization RCE
- CVE-2026-41732HIGHSpring for Apache Pulsar Remote Code Execution via Unsafe Deserialization
- CVE-2026-41855HIGHSpring Framework JMS Deserialization Vulnerability (CVSS 8.1)
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-20251HIGHSplunk Remote Code Execution via KV Store Deserialization
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation