View all Vulnerabilities

CVE-2026-41727

Content Spoofing
Affects
Spring for Apache Kafka
in
Spring
No items found.
Versions
>=2.7.0 <=2.7.14, >=2.8.0 <=2.8.11, >=2.9.0 <=2.9.13, >=3.1.0 <=3.1.10, >=3.2.0 <=3.2.13, >=3.3.0 <=3.3.15, >=4.0.0 <=4.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring for Apache Kafka applies core Spring concepts to the development of Kafka-based messaging solutions, providing the KafkaTemplate, message-driven listener containers, and the non-blocking retry topic infrastructure that Spring and Spring Boot applications use to produce and consume Apache Kafka records.

A medium-severity vulnerability (CVE-2026-41727) has been identified in Spring for Apache Kafka. The retry topic feature coordinates non-blocking retries by attaching metadata headers to each record: retry_topic-attempts records how many delivery attempts have occurred, and retry_topic_backoff-timestamp tells the consumer when the record may next be processed. In affected versions, neither header is validated before being acted on. A producer who can send records to a topic the application consumes can forge an out-of-range attempt count to make the retry router misidentify where a message is in the retry sequence, or forge a far-future backoff timestamp to make the backoff manager pause the listener arbitrarily long, stalling consumption far beyond any intended retry window.

Per OWASP, a denial-of-service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed; there are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resource-handling vulnerabilities, among others.

This issue affects versions >=2.7.0 <=2.7.14, >=2.8.0 <=2.8.11, >=2.9.0 <=2.9.13, >=3.1.0 <=3.1.10, >=3.2.0 <=3.2.13, >=3.3.0 <=3.3.15, and >=4.0.0 <=4.0.5, as well as older, unsupported versions, of Spring for Apache Kafka.

Details

Module Info

Vulnerability Info

Applications that enable Spring for Apache Kafka's non-blocking retries, via @RetryableTopic or a RetryTopicConfiguration bean, route failed records through a chain of retry topics before a final dead-letter topic. The framework keeps track of the retry state in record headers that any producer can set, and two of those headers were trusted without validation.

The first flaw is in the attempt counter. When a record fails, DeadLetterPublishingRecovererFactory reads the retry_topic-attempts header to decide which retry topic (or the dead-letter topic) the record should be forwarded to next:

private int getAttempts(ConsumerRecord<?, ?> consumerRecord) {
    Header header = consumerRecord.headers().lastHeader(RetryTopicHeaders.DEFAULT_HEADER_ATTEMPTS);
    if (header != null) {
        byte[] value = header.value();
        if (value.length == Byte.BYTES) { // backwards compatibility
            return value[0];
        }
        else if (value.length == Integer.BYTES) {
            return ByteBuffer.wrap(value).getInt();
        }
        else {
            LOGGER.debug(() -> "Unexpected size for " + RetryTopicHeaders.DEFAULT_HEADER_ATTEMPTS + " header: "
                    + value.length);
        }
    }
    return 1;
}

The decoded value is passed directly into destination topic resolution. A forged four-byte header can claim any attempt count, including negative values or Integer.MAX_VALUE, causing the router to misidentify the message's position in the retry sequence, for example sending a first-failure record straight past its remaining retries. The legacy one-byte path also sign-extends the raw byte, so a value of 0x80 decodes as -128 rather than 128, corrupting the count even for non-malicious producers that wrote large legitimate values.

The second flaw is in the backoff timestamp. Before dispatching a record from a retry topic, KafkaBackoffAwareMessageListenerAdapter reads the retry_topic_backoff-timestamp header and, if present, asks the backoff manager to pause the consumer until that time arrives:

private Optional<Long> maybeGetBackoffTimestamp(ConsumerRecord<K, V> data) {
    return Optional
            .ofNullable(data.headers().lastHeader(this.backoffTimestampHeader))
            .map(timestampHeader -> new BigInteger(timestampHeader.value()).longValue());
}


No bounds check is applied to the decoded timestamp. A producer who writes a far-future value, up to Long.MAX_VALUE, instructs the backoff manager to suspend the listener's partition for an effectively unbounded duration, halting consumption of that topic and turning a single crafted record into a denial of service.

The remediation hardens both decoding paths: the attempts header is read as unsigned in the legacy one-byte form and clamped to a sane range, with out-of-range values and unexpected header lengths resolving to an attempt count of 1, and backoff timestamps whose implied pause would exceed one day are ignored as if the header were absent, so the record proceeds to the listener without invoking the backoff manager. Only applications that use the retry topic feature process these headers.

This vulnerability was introduced in 2021 with Spring for Apache Kafka 2.7.

Mitigation

Spring for Apache Kafka 3.3.x and 4.0.x receive the fix in the open-source releases 3.3.16 and 4.0.6; the 2.8.x, 2.9.x, and 3.2.x lines, along with older lines such as 2.7.x and 3.1.x, are past their open-source support window and have no publicly available fix. Users still running an affected open-source line that no longer receives free updates should not attempt to hand-patch the retry topic header handling.

To remediate this issue, affected users have two recommended options:

  1. Upgrade to a supported, fixed release of Spring for Apache Kafka (3.3.16 or 4.0.6).
  2. Adopt HeroDevs Never-Ending Support (NES) for Spring for Apache Kafka, which provides a drop-in compatible build with this vulnerability fixed for release lines that are otherwise end-of-life, with no code changes required. Learn more about HeroDevs Never-Ending Support for Spring and request coverage at https://www.herodevs.com/support/spring-nes.

Credits

  • This issue was discovered internally, per the vendor advisory.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41727
PROJECT Affected
Spring for Apache Kafka
Versions Affected
>=2.7.0 <=2.7.14, >=2.8.0 <=2.8.11, >=2.9.0 <=2.9.13, >=3.1.0 <=3.1.10, >=3.2.0 <=3.2.13, >=3.3.0 <=3.3.15, >=4.0.0 <=4.0.5
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.