Spring Security Advisories

RSS feed

CVE-2026-41726: In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header

MEDIUM | JUNE 09, 2026 | CVE-2026-41726

Description

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Only deployments that explicitly configured DelegatingDeserializer are affected.

Affected Spring Products and Versions

Spring for Apache Kafka:

  • 4.0.0 - 4.0.5
  • 3.3.0 - 3.3.15
  • 3.2.0 - 3.2.13
  • 2.9.0 - 2.9.13
  • 2.8.0 - 2.8.11

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
4.0.5.1 Commercial
3.3.x 3.3.16 OSS
3.3.15.1 Commercial
3.2.x 3.2.14 Commercial
2.9.x 2.9.14 Commercial
2.8.x 2.8.12 Commercial

No further mitigation steps are necessary.

Credit

This issue was discovered internally.

References

History

  • 2026-06-09: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all