Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41719: Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator
Description
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.
The application is vulnerable if all conditions below are true:
- The
SpelPropertyComparatoris used for sorting. - The method is exposed to untrusted input (e.g. via a custom REST endpoint)
- Unsanitized user input is directly passed to the method.
Affected Spring Products and Versions
Spring Data KeyValue:
- 4.0.0 to 4.0.5
- 3.5.0 to 3.5.11
- 3.4.0 to 3.4.14
- 3.3.0 to 3.3.16
- 3.2.0 to 3.2.15
- 3.1.0 to 3.1.14
- 3.0.0 to 3.0.15
- 2.7.0 to 2.7.19
- older unsupported versions
Spring Data Redis (through Spring Data KeyValue):
- 4.0.0 to 4.0.5
- 3.5.0 to 3.5.11
- 3.4.0 to 3.4.14
- 3.3.0 to 3.3.16
- 3.2.0 to 3.2.15
- 3.1.0 to 3.1.14
- 3.0.0 to 3.0.15
- 2.7.0 to 2.7.19
- older unsupported versions
Mitigation
Users of affected versions should upgrade to the corresponding fixed version of Spring Data KeyValue.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.0.x | 4.0.6 | OSS |
| 3.5.x | 3.5.12 | OSS |
| 3.4.x | 3.4.15 | Enterprise Support Only |
| 3.3.x | 3.3.17 | Enterprise Support Only |
| 2.7.x | 2.7.20 | Enterprise Support Only |
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all