HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41717Published Modified CNA vmware

CVE-2026-41717: Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
3.4.20
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SpEL (Spring Expression Language) expression injection in Spring Data MongoDB affects applications that use @Query-annotated repository methods with capture-all parameter placeholders. The vulnerability is reachable over the network and requires no authentication, though exploitation depends on high-complexity conditions in the target environment. Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected service. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring Data MongoDB. Coverage extends to images in connected registries and to images built inside CI/CD pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine routing priority. Findings are surfaced to the appropriate team inbox inside each customer org based on configured policy rules.

Available
Patch

Patched-image rebuilds at versions 3.4.20, 4.0.16, 4.1.15, 4.2.16, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable component must be reachable over the network; an attacker submits a crafted query parameter to an exposed HTTP or API endpoint that invokes an @Query-annotated repository method.

  • AuthenticationNot required

    No credentials or session token are needed; the attacker can reach the injection point as an unauthenticated caller.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and does not require any action from a user or operator of the target application.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must account on environmental factors or specific application configuration (such as the presence of a capture-all placeholder in an @Query method) that are not guaranteed to be in place on every target.

Blast Radius

  • Reads arbitrary data from the MongoDB database, including stored credentials, session tokens, and application records.
  • Writes or modifies persisted database documents, enabling data tampering or injection of malicious records.
  • Crashes or severely degrades the affected service, causing a denial of service for dependent applications and users.
  • Depending on the SpEL evaluation context, the injected expression may access JVM internals or Spring application context beans, extending the attacker's reach beyond the database layer.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41717 is active across all connected registries and pipelines, with images matched against affected Spring Data MongoDB version ranges (3.4.0 through 5.0.5) as soon as the CVE was published. Patched rebuilds at 3.4.20, 4.0.16, 4.1.15, 4.2.16, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 are available for any image found running an affected version. Where compliance policy permits, customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the configured team inbox with CVSS scoring and affected-image inventory attached for manual review. As a compensating control while a rebuild is being evaluated, network-policy isolation of services that expose @Query-annotated endpoints to unauthenticated callers is advisable to reduce the exploitable attack surface.

See how HarborGuard automates this

Fix available

3.4.204.0.164.1.154.2.164.3.174.4.154.5.125.0.6
Affected packages
  • Spring / Spring Data MongoDB
    < 5.0.6 (from 5.0.0) · < 4.5.12 (from 4.5.0) · < 4.4.15 (from 4.4.0) · < 4.3.17 (from 4.3.0) · < 4.2.16 (from 4.2.0) · < 4.1.15 (from 4.1.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References