CVE Catalog

CVE-2026-41731

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

38th percentile - higher than 38% of all known CVEs

Summary

A vulnerability in Spring for Apache Kafka allows arbitrary JDK type deserialization via crafted message headers. JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper match trusted packages using a prefix check, enabling bypass of security restrictions.

Risk Assessment

An attacker can achieve remote code execution on the Kafka consumer, leading to full system compromise or data exfiltration.

Recommendation

Immediately upgrade Spring for Apache Kafka to version 4.0.6, 3.3.16, 3.2.14, 2.9.14, or 2.8.12 depending on your branch.

Original NVD description (English source)

JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS