CVE Catalog

CVE-2026-41732

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

Vulnerability in JsonPulsarHeaderMapper in Spring for Apache Pulsar where type header matching against trusted packages used a prefix check, meaning trusting any package implicitly trusted all its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages instead of applying a safe default allow-list.

Risk Assessment

The risk involves potential unauthorized processing of messages from untrusted packages, which could lead to remote code execution or other deserialization-related attacks.

Recommendation

Immediately upgrade Spring for Apache Pulsar to version 2.0.6 or later (for 2.0.x line) and to version 1.2.18 or 1.1.18 (for respective 1.x lines).

Original NVD description (English source)

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS