Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41696: Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Description
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding (e.g., @Query("{ name : /^\\Q?0\\E$/ }")) perform insufficient validation of the bound parameter.
An attacker can supply a crafted string to break out of the intended regular expression quoting. When the repository is exposed to untrusted sources (e.g. via spring-data-rest). This can lead to unauthorized data exposure or bypass of intended query filters.
Affected Spring Products and Versions
Spring Data MongoDB:
- 5.0.0 to 5.0.5
- 4.5.0 to 4.5.11
- 4.4.0 to 4.4.14
- 4.3.0 to 4.3.16
- 4.2.0 to 4.2.15
- 4.1.0 to 4.1.14
- 4.0.0 to 4.0.15
- 3.4.0 to 3.4.19
- older unsupported versions
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 5.0.x | 5.0.6 | OSS |
| 4.5.x | 4.5.12 | OSS |
| 4.4.x | 4.4.15 | Enterprise Support Only |
| 4.3.x | 4.3.17 | Enterprise Support Only |
| 3.4.x | 3.4.20 | Enterprise Support Only |
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all