CVE-2026-41732
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
Vulnerability in JsonPulsarHeaderMapper in Spring for Apache Pulsar where type header matching against trusted packages used a prefix check, meaning trusting any package implicitly trusted all its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages instead of applying a safe default allow-list.
Risk Assessment
The risk involves potential unauthorized processing of messages from untrusted packages, which could lead to remote code execution or other deserialization-related attacks.
Recommendation
Immediately upgrade Spring for Apache Pulsar to version 2.0.6 or later (for 2.0.x line) and to version 1.2.18 or 1.1.18 (for respective 1.x lines).
Original NVD description (English source)
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

