View all Vulnerabilities

CVE-2026-41717

Command Injection
Affects
Spring Data MongoDB
in
Spring
No items found.
Versions
>=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data MongoDB is the MongoDB module of the Spring Data family, providing the repository abstraction, MongoTemplate, and annotation-driven query support that let Java applications map domain objects to MongoDB documents and express queries declaratively. It is used widely both directly and as a transitive dependency of Spring Boot data-MongoDB starters.

A high-severity vulnerability (CVE-2026-41717) has been identified in Spring Data MongoDB's annotated-query parameter binding. Repository query methods that declare @Query or @Aggregation with a capture-all placeholder, such as @Query("?0") or @Query(":#{?0}"), route the bound parameter value through the binding-aware JSON reader. A crafted value can break out of the literal region it is meant to occupy and have the remainder of its content interpreted as live query or expression syntax, so an application that exposes such a method to untrusted input without sanitizing it allows an attacker to inject Spring Expression Language (SpEL) and query content into the assembled MongoDB query.

Per OWASP, expression language injection occurs when user input is evaluated as part of an Expression Language statement, allowing an attacker to manipulate application logic and access objects and methods reachable from the evaluation context. Because Spring Data MongoDB evaluates the bound value through SpEL during query assembly, attacker-controlled input that escapes its binding is evaluated as an expression rather than treated as inert data.

This issue affects >=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data MongoDB, as well as older unsupported versions.

Details

Module Info

Vulnerability Info

The vulnerability is in the annotated-query parameter-binding machinery, specifically org.springframework.data.mongodb.util.json.ParameterBindingJsonReader and org.springframework.data.mongodb.util.json.ParameterBindingDocumentCodec. These classes assemble the final MongoDB query by substituting bound parameter values into the query template defined on a repository method.

An application is exposed when a repository query method uses an @Query or @Aggregation annotation with a capture-all placeholder, for example:

public interface PersonRepository extends MongoRepository<Person, String> {

    @Query("?0")
    List<Person> findByRawQuery(String rawQuery);

    @Query(":#{?0}")
    List<Person> findBySpelQuery(String spelQuery);
}

When the bound value is embedded inside a quoted or regex-literal region of the query template, the binding logic wraps it using the \Q ... \E quote-literal markers so it is treated as inert text. Two flaws let an attacker escape that protection. First, the bound value was spliced in without consistently neutralizing an embedded \E sequence: a value such as \E.* could prematurely close the quote-literal region, after which the remaining characters were parsed as live regex and query syntax. In the SpEL substitution path the value was inserted with no quote-literal escaping at all. Second, when a binding or SpEL expression produced a String result, that result was fed back through the binding-aware decode path a second time, so attacker-influenced output of the first pass could itself be re-interpreted as a parameterized query.

The combined effect is SpEL expression injection during query assembly: a crafted parameter such as :#{new org.bson.Document('foo','bar')} supplied to a ?0 or :#{?0} placeholder is evaluated rather than bound as data. Because SpEL evaluation can reach arbitrary objects and methods on the classpath, the exposure carries high impact on confidentiality, integrity, and availability (CVSS v3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

This vulnerability has been present since Spring Data MongoDB 3.4.0.

Mitigation

The affected 3.4.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x, and 4.4.x lines of Spring Data MongoDB are End-of-Life on the open-source feed and do not receive further OSS security fixes; OSS fixes are published only for the 4.5.x and 5.0.x lines. Older versions have no publicly available fix for this vulnerability.

Users of the affected versions should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Data MongoDB. The OSS fix ships in 5.0.6 and 4.5.12.
  • As a code-level workaround where upgrading is not immediately possible, avoid binding untrusted input through capture-all placeholders (@Query("?0") / @Query(":#{?0}")); reference parameters through specific field positions and validate or sanitize any externally supplied query input before it reaches a repository method.
  • For environments that must remain on an End-of-Life line, HeroDevs Never-Ending Support (NES) for Spring Data MongoDB provides a drop-in replacement that backports this fix without requiring a version upgrade. Learn more about HeroDevs Never-Ending Support for Spring Data MongoDB and request coverage at https://www.herodevs.com/support/spring-nes.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41717
PROJECT Affected
Spring Data MongoDB
Versions Affected
>=3.2.0 <=3.2.12, >=3.4.0 <=3.4.19, >=4.0.0 <=4.0.15, >=4.1.0 <=4.1.14, >=4.2.0 <=4.2.15, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Command Injection
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.