CVE-2026-41717
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
A SpEL injection vulnerability in Spring Data MongoDB occurs during parameter binding in @Query annotated repository methods using a capture-all placeholder. Attackers can inject malicious SpEL expressions, potentially leading to remote code execution or data compromise.
Risk Assessment
The risk includes potential remote code execution, data exfiltration, or privilege escalation, allowing an attacker to fully compromise the application server.
Recommendation
Upgrade Spring Data MongoDB to version 5.0.6 or later (for 5.0.x branch) and apply corresponding patches for other affected versions. Avoid using capture-all placeholders in @Query methods without proper input validation.
Original NVD description (English source)
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

