CVE-2026-41731
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
A vulnerability in Spring for Apache Kafka allows arbitrary JDK type deserialization via crafted message headers. JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper match trusted packages using a prefix check, enabling bypass of security restrictions.
Risk Assessment
An attacker can achieve remote code execution on the Kafka consumer, leading to full system compromise or data exfiltration.
Recommendation
Immediately upgrade Spring for Apache Kafka to version 4.0.6, 3.3.16, 3.2.14, 2.9.14, or 2.8.12 depending on your branch.
Original NVD description (English source)
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

