HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41732Published Modified CNA vmware

CVE-2026-41732: In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
1.1.18
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unsafe deserialization vulnerability in Spring for Apache Pulsar's JsonPulsarHeaderMapper component. The flaw is reachable over the network with no authentication required, though exploitation requires high attack complexity due to environmental preconditions. A successful attacker can read sensitive data, tamper with application state, and crash the affected service. Patched-image rebuilds at versions 1.1.18, 1.2.18, and 2.0.6 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-41732 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle affected Spring for Apache Pulsar versions.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and is capable of weighting that score against each environment's compliance policy to surface appropriately prioritized findings; routing to the correct team inbox within a customer org is handled automatically based on configured ownership rules.

Available
Patch

A patched-image rebuild at versions 1.1.18, 1.2.18, or 2.0.6 (depending on the release line in use) becomes available through HarborGuard once the fix is confirmed against the image's bill of materials. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs the regression suite, and opens a pull request against affected workloads; where compliance policy permits, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Pulsar messaging endpoint over the network; no local or physical access is needed, but the service must be exposed to the attacker's network path.

  • AuthenticationNot required

    No credentials or account are needed; an unauthenticated attacker can send crafted message headers directly to the endpoint.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from a user or operator of the affected service.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the attacker must engineer specific environmental conditions, such as controlling the content of Pulsar message type headers and ensuring the target application processes them through the vulnerable mapper.

Blast Radius

  • An attacker who achieves arbitrary deserialization can read application secrets, credentials, and in-memory session state accessible to the JVM process.
  • Deserialization gadget chains allow the attacker to write or modify persisted data, including database rows or file-system state reachable by the application.
  • Full remote code execution is achievable through known JDK deserialization gadget chains, giving the attacker control over the host process.
  • The attacker can crash the affected Pulsar consumer or producer process, causing a service disruption for any workloads that depend on the message pipeline.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and rebuild capabilities for CVE-2026-41732 are ready for use across customer environments. For images running Spring for Apache Pulsar 1.1.x, 1.2.x, or 2.0.x, HarborGuard can identify the affected dependency in both upstream base images and internally built images. For customers who opt into auto-remediation, HarborGuard will rebuild the image against the appropriate fix version (1.1.18, 1.2.18, or 2.0.6), execute the configured regression test suite, and open a pull request against affected workloads; for high-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the triage queue with CVSS 8.1 (HIGH) scoring and compliance-weighted priority so engineers can act manually. As a compensating control before patching, network policy isolation of Pulsar consumer services and strict egress filtering on Pulsar listener ports can reduce the attack surface while a rebuild is prepared.

See how HarborGuard automates this

Fix available

1.1.181.2.182.0.6
Affected packages
  • Spring / Spring for Apache Pulsar
    < 2.0.6 (from 2.0.0) · < 1.2.18 (from 1.2.0) · < 1.1.18 (from 1.1.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References