Spring Data MongoDB 5.0.5 SpEL Injection via @Query capture-all
CVE-2026-41717 Published on June 9, 2026
Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder.
Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Vulnerability Analysis
CVE-2026-41717 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2026-41717 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2026-41717
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Data MongoDB:- Version 5.0.0 and below 5.0.6 is affected.
- Version 4.5.0 and below 4.5.12 is affected.
- Version 4.4.0 and below 4.4.15 is affected.
- Version 4.3.0 and below 4.3.17 is affected.
- Version 4.2.0 and below 4.2.16 is affected.
- Version 4.1.0 and below 4.1.15 is affected.
- Version 4.0.0 and below 4.0.16 is affected.
- Version 3.4.0 and below 3.4.20 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.