Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17)
CVE-2026-41732 Published on June 9, 2026
In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.
Affected versions:
Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Vulnerability Analysis
CVE-2026-41732 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-41732 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2026-41732
stack.watch emails you whenever new vulnerabilities are published in VMware Spring Framework or F5 Networks Pulsar. Just hit a watch button to start following.
Affected Versions
Spring for Apache Pulsar:- Version 2.0.0 and below 2.0.6 is affected.
- Version 1.2.0 and below 1.2.18 is affected.
- Version 1.1.0 and below 1.1.18 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.