HIGH 8.1

CVE-2026-41732: Spring for Apache Pulsar Remote Code Execution via Unsafe Deserialization

A flaw in Spring for Apache Pulsar's type-header validation allows an attacker to deserialize untrusted Java objects when the library is configured with a trusted-packages allowlist. The vulnerability has two related problems: first, trusting a package name implicitly trusts all of its subpackages due to a prefix-matching check, and second, an empty trusted-packages configuration defaults to trusting all packages instead of safely rejecting unknown types. An attacker on the network can exploit this by sending specially crafted messages to deserialize malicious objects, potentially leading to remote code execution.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-07-17

NVD description (verbatim)

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

JsonPulsarHeaderMapper performs type-header validation by checking incoming class names against a configured trusted-packages list using prefix matching. This design flaw means that whitelisting a package like 'com.example' automatically permits any subpackage such as 'com.example.attacker.Payload'. Additionally, when no trusted-packages are explicitly configured, the library defaults to permitting all packages rather than implementing a secure deny-all posture. An attacker with network access can craft Pulsar messages containing serialized gadget chains that exploit common Java deserialization vulnerabilities. Because the validation logic is fundamentally flawed, even organizations that believed they had implemented package restrictions may still be vulnerable.

Business impact

Successful exploitation enables remote code execution on systems running Spring for Apache Pulsar. An unauthenticated network attacker can inject malicious payloads into message streams, executing arbitrary code with the privileges of the affected application. For organizations using Pulsar for event streaming, messaging, or data pipelines, this vulnerability could lead to data theft, lateral movement within infrastructure, service disruption, or deployment of persistent backdoors. The risk is elevated because the misconfiguration may go undetected—organizations believing they have a safe allowlist may actually be fully exposed.

Affected systems

The vulnerability affects Spring for Apache Pulsar versions 1.1.0 through 1.1.17, 1.2.0 through 1.2.17, and 2.0.0 through 2.0.5. Any deployment using these versions for message consumption with untrusted or external message sources is at risk. The vendor is VMware. Organizations should identify all applications and services consuming Pulsar messages via Spring bindings and verify which versions are currently deployed.

Exploitability

Exploitation requires network access to the Pulsar broker or the ability to inject messages into a topic being consumed by a vulnerable application. The attack does not require authentication, user interaction, or complex setup—an attacker simply needs to send a malicious serialized object as a message payload. The CVSS score of 8.1 (HIGH) reflects the high impact (confidentiality, integrity, and availability all affected) combined with the moderately complex attack complexity due to the need to craft a suitable gadget chain and deliver it over the network. Public proof-of-concept code would likely emerge quickly if not already available in the community.

Remediation

Upgrade to patched versions: Spring for Apache Pulsar 1.1.18 or later, 1.2.18 or later, or 2.0.6 or later (verify exact version availability against VMware's advisory). The patch corrects the prefix-matching logic and implements secure-by-default behavior for empty trusted-packages configurations. Until patching is complete, apply compensating controls: restrict network access to Pulsar brokers, implement message validation at the application level, disable deserialization of untrusted types, or isolate Pulsar consumers in network segments with strict ingress filtering.

Patch guidance

VMware has released patches for affected versions. Check the VMware Spring for Apache Pulsar security advisory for the specific patch version numbers for your current version line (1.1.x, 1.2.x, or 2.0.x). Prioritize patching development and staging environments first to validate compatibility with your Pulsar configuration and any custom type headers. Review your trusted-packages configuration after upgrading to ensure it reflects the principle of least privilege—only explicitly allow the specific packages your application requires, avoiding overly broad entries.

Detection guidance

Monitor Pulsar consumers for deserialization errors or ClassNotFoundException exceptions, which may indicate failed exploitation attempts. Review application logs and Pulsar broker logs for messages containing unexpected serialized Java objects or gadget-chain payloads. Network-level detection is challenging but possible if you capture and inspect Pulsar message traffic for signatures of common exploitation frameworks (e.g., ysoserial-generated payloads). Audit the trusted-packages configuration in your Spring Pulsar setup—if it is empty or contains very broad entries (e.g., 'java', 'com'), your application is especially vulnerable.

Why prioritize this

This vulnerability warrants urgent attention because it enables unauthenticated remote code execution with high impact and relatively low attack complexity. The misalignment between administrator intent (a restrictive allowlist) and actual behavior (unrestricted deserialization) creates risk that is hard to self-assess without detailed code review. The flaw affects all three active version branches, and public disclosure has occurred. Threat actors actively exploit Java deserialization vulnerabilities, making this a probable target for scanning and exploitation attempts.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) is driven by network-based attack vector (AV:N), high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), and no authentication requirement (PR:N/UI:N). Attack complexity is rated as high (AC:H) because a successful exploit requires crafting a suitable gadget chain and delivering it via Pulsar, which assumes some attacker sophistication. However, tooling and libraries for Java deserialization exploitation are mature and widely available, so the practical attack complexity is lower than the CVSS suggests. The scope is unchanged (S:U) because the vulnerability does not cross privilege boundaries in a typical deployment.

Frequently asked questions

Do we need to patch if we have an empty trusted-packages configuration?

Yes—an empty configuration is especially dangerous because it defaults to trusting all packages. This is likely the worst-case scenario and should be patched immediately. After upgrading, configure the trusted-packages list to include only the specific packages your application actually needs.

If we trust a package like 'com.example', does that include 'com.example.unsafe'?

Yes, in the vulnerable versions. The prefix-matching behavior means any subpackage is automatically trusted. This is why the patch is critical—it corrects this overly permissive matching logic. After patching, review your allowlist to ensure you are not unintentionally trusting unsafe subpackages.

Can we mitigate this without patching?

Patching is strongly recommended, but temporary mitigations include isolating Pulsar consumers on trusted networks, disabling serialization-based type handling if your application supports alternative message formats, and implementing application-level validation to reject unexpected message types. However, these controls are not a substitute for a proper patch.

Are we affected if we only consume from internal, trusted Pulsar topics?

The risk is lower if your Pulsar infrastructure and topics are strictly internal, but the vulnerability still exists. Insider threats, compromised producers, or lateral movement by attackers could introduce malicious messages. Patching eliminates the underlying flaw and is the recommended approach.

This analysis is based on the CVE record and publicly available vendor information as of the publication date. Specific patch version numbers and availability should be verified against VMware's official security advisory before deployment. No exploit code or detailed weaponization steps are provided in this document. Organizations must conduct their own risk assessment based on their specific Pulsar deployment, network topology, and message sources. This document does not constitute professional security advice; consult with your security team or a qualified security vendor for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).