CVE-2026-41696
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk17th percentile - higher than 17% of all known CVEs
Summary
In Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding, there is insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.
Risk Assessment
Insufficient parameter validation may lead to unauthorized query execution, jeopardizing data integrity and application security.
Recommendation
It is recommended to upgrade to the latest version of Spring Data MongoDB to ensure proper regex parameter validation and minimize the risk of attacks.
Original NVD description (English source)
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

