CVE-2026-41717

Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-41717

Configurations

No configuration.

History

10 Jun 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-10 00:16

Updated : 2026-06-10 00:16

NVD link : CVE-2026-41717

Mitre link : CVE-2026-41717

CVE.ORG link : CVE-2026-41717

JSON object : View

Products Affected

No product.

CWE

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

8.1 /10