HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41731Published Modified CNA vmware

CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
2.8.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an insecure deserialization vulnerability in Spring for Apache Kafka's header mapper components (JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper). It is reachable over the network without authentication, though exploitation requires overcoming some environmental complexity. A successful attacker who controls Kafka message headers can cause a consumer to deserialize arbitrary JDK types, enabling remote code execution, data disclosure, or data tampering. Patched-image rebuilds at versions 2.8.12, 2.9.14, 3.2.14, 3.3.16, and 4.0.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41731 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of feed ingestion, including custom-built images that bundle affected Spring for Apache Kafka versions.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the applicable fix version (2.8.12, 2.9.14, 3.2.14, 3.3.16, or 4.0.6) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Kafka broker over the network and produce messages to a topic consumed by the vulnerable application.

  • AuthenticationNot required

    No authentication credentials are required; any producer that can publish to the relevant Kafka topic can deliver crafted headers.

  • Victim interactionNot required

    No victim interaction is needed; the consumer processes incoming Kafka messages automatically without any human action.

  • Attack complexityDetail

    Exploitation is rated High complexity, meaning the attacker must satisfy conditions beyond simple message delivery, such as controlling the topic or bypassing broker-level access controls that may exist in a given deployment.

Blast Radius

  • A successful attacker achieves remote code execution in the context of the Kafka consumer process by triggering deserialization of a crafted JDK gadget chain.
  • Arbitrary code execution gives the attacker read access to secrets, credentials, and application data held in memory or accessible from the consumer host.
  • The attacker can write or modify application state, persisted data, or downstream records that the consumer would normally produce.
  • The consumer process can be crashed or rendered unresponsive, disrupting message processing pipelines that depend on it.

How HarborGuard Handles This

Available on HarborGuard: detection and triage for CVE-2026-41731 run automatically against any image containing an affected Spring for Apache Kafka version (4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, or 2.8.0 through 2.8.11). Given the HIGH severity and CVSS 8.1 score, the finding is prioritized accordingly in each environment's compliance policy queue. Where compliance policy permits, HarborGuard can rebuild the affected image at the appropriate fix version (2.8.12, 2.9.14, 3.2.14, 3.3.16, or 4.0.6), execute a regression run, and open a pull request against affected workloads; for environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Teams not yet on auto-remediation should prioritize upgrading to the applicable fix version and, as a compensating control in the interim, should restrict which principals can produce messages to sensitive Kafka topics and audit any explicit trusted-package configurations in their header mapper setup.

See how HarborGuard automates this

Fix available

2.8.122.9.143.2.143.3.164.0.6
Affected packages
  • Spring / Spring for Apache Kafka
    < 4.0.6 (from 4.0.0) · < 3.3.16 (from 3.3.0) · < 3.2.14 (from 3.2.0) · < 2.9.14 (from 2.9.0) · < 2.8.12 (from 2.8.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References