View all Vulnerabilities

CVE-2026-41696

Information Exposure
Affects
Spring Data MongoDB
in
Spring
No items found.
Versions
>=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data MongoDB is the MongoDB module of the Spring Data family, providing object-document mapping and repository abstractions for building MongoDB-backed Spring applications.

A medium-severity vulnerability (CVE-2026-41696) has been identified in Spring Data MongoDB. Repository query methods annotated with @Query that bind a parameter inside a regular expression literal perform insufficient validation of the bound value. An attacker who can supply a crafted value containing the regex quote terminator can break out of the intended literal quoting and inject regular expression syntax, altering which documents the query matches. When the repository is reachable from untrusted input, for example through spring-data-rest, this can lead to unauthorized data exposure or bypass of the intended query filter.

Per OWASP, sensitive information disclosure occurs when an application allows an actor to access data they are not authorized to see. Here, breaking out of the intended literal quoting widens the query so that documents the filter was meant to exclude become reachable to the attacker.

This issue affects versions >=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data MongoDB.

Details

Module Info

Vulnerability Info

Spring Data MongoDB allows a repository @Query to embed a bound parameter inside a regular expression literal that is wrapped in the literal-quote markers \Q and \E. The intent is that the bound value is matched literally, so any regular expression metacharacters it contains have no special meaning:

@Query("{ name : /^\Q?0\E$/ }")

The placeholder substitution is performed in ParameterBindingJsonReader, which interpolates the bound value into the pattern string and constructs a BsonRegularExpression from the result. The bound value is not properly escaped before substitution, so if the value itself contains the sequence \E, it terminates the \Q...\E literal quoting early. Anything the attacker places after \E is then interpreted as live regular expression syntax rather than as a literal string.

For example, a method bound with the query above is meant to match a name equal to the supplied string. Supplying a value such as \E.* closes the literal quote and leaves .* as an unanchored wildcard, causing the query to match documents the filter was intended to exclude. By injecting alternation, anchors, or wildcards in this way, an attacker can broaden or redirect the query and access data outside the intended result set.

A related weakness allowed an expression result to be decoded twice through the parameter-binding reader, re-running the binding logic over already-bound output.

This vulnerability has been present since Spring Data MongoDB 2.2.0.

Mitigation

Spring Data MongoDB versions in the affected range that are no longer covered by open-source maintenance are End-of-Life and will not receive security updates from the upstream project. Upstream open-source fixes are available only for the 5.0.x and 4.5.x lines (5.0.6 and 4.5.12); the 4.4.x, 4.3.x, 3.4.x, and 4.0.x through 4.2.x lines have no publicly available fix.

Users should not attempt to patch affected versions themselves. The recommended actions are:

  1. Upgrade to a supported, fixed version of Spring Data MongoDB (5.0.6 or 4.5.12 or later).
  2. For versions that are End-of-Life or otherwise cannot be upgraded, use HeroDevs Never-Ending Support (NES) for Spring Data MongoDB, which provides a maintained drop-in replacement with this vulnerability remediated. Learn more about HeroDevs Never-Ending Support for Spring Data MongoDB and request coverage at https://www.herodevs.com/support/spring-nes.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41696
PROJECT Affected
Spring Data MongoDB
Versions Affected
>=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.