Description
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.

Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting, leading to regular-expression injection. This flaw could allow an attacker to retrieve unfiltered data or cause query failures that disrupt application availability. The weakness is identified as CWE-943.

Affected Systems

The vulnerability affects Spring Data MongoDB versions 3.4.0 through 3.4.19, 4.0.0 through 4.0.15, 4.1.0 through 4.1.14, 4.2.0 through 4.2.15, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity flaw, and the EPSS score is not available, which suggests limited evidence of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires the attacker to supply a crafted regex string to a query that is annotated with @Query; no remote code execution is possible through this vector, but the attack can be performed from any code that can invoke the affected repository methods.

Generated by OpenCVE AI on June 10, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Spring Data MongoDB release with the fix for regex binding validation
  • Validate or escape regex parameters in @Query annotations to prevent unauthorized characters
  • Verify query behavior in test environments to confirm that regex injection is mitigated

Generated by OpenCVE AI on June 10, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41696 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Title Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:47:37.883Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41696

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.800

Modified: 2026-06-10T00:16:50.800

Link: CVE-2026-41696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses