HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41729Published Modified CNA vmware

CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
3.7.20
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

SpEL (Spring Expression Language) injection in Spring Data REST allows an authenticated attacker to embed arbitrary expressions inside JSON Patch requests targeting Map-typed entity properties. The vulnerable path processing accepts a JSON Pointer segment as a map key and passes it directly to the SpEL evaluator without sanitization, reachable over the network with any low-privilege account. Successful exploitation gives the attacker full read and write access to application data in scope of the evaluated expression context. Patched-image rebuilds at versions 3.7.20, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41729 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of feed ingestion, including custom-built images that bundle Spring Data REST as a dependency.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to route alerts to the appropriate team inbox inside the customer org.

Available
Patch

A patched-image rebuild targeting the applicable fix version (3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6) becomes available through HarborGuard for any image found to carry an affected Spring Data REST release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Spring Data REST HTTP endpoint over the network; the service must be accessible remotely for the PATCH request to be delivered.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker does not need admin credentials, only a valid authenticated session that can issue PATCH requests to an exposed repository endpoint.

  • Victim interactionNot required

    No user interaction is needed; the attacker sends a crafted JSON Patch request directly to the server without any action from another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions.

Blast Radius

  • Reads any data accessible through the SpEL evaluation context, including entity fields, application properties, and Spring bean state exposed at expression scope.
  • Writes or modifies persisted entity data by executing SpEL expressions that invoke setter methods or mutate Map-typed properties on the targeted domain object.
  • Allows traversal to other Spring beans within the application context, potentially invoking methods on services or repositories beyond the originally targeted entity.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Spring Data REST versions (3.7.0-3.7.19, 4.3.0-4.3.16, 4.4.0-4.4.14, 4.5.0-4.5.11, 5.0.0-5.0.5) are flagged automatically as new scans complete or existing scan results are re-evaluated against the updated feed. For customers who opt into auto-remediation, HarborGuard can rebuild the image at the appropriate fix release, run the configured regression suite, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit automated remediation, the finding is routed to the designated team inbox with CVSS context and affected layer details so engineers can act manually. Until a rebuild is deployed, compensating controls worth considering include restricting PATCH requests on JSON Patch content type at the API gateway or ingress layer, and narrowing authenticated roles that can reach Map-typed entity endpoints via Spring Security method-level authorization.

See how HarborGuard automates this

Fix available

3.7.204.3.174.4.154.5.125.0.6
Affected packages
  • Spring / Spring Data REST
    < 3.7.20 (from 3.7.0) · < 4.3.17 (from 4.3.0) · < 4.4.15 (from 4.4.0) · < 4.5.12 (from 4.5.0) · < 5.0.6 (from 5.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References