Description
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.

Affected versions:
Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting, leading to regular-expression injection. This flaw could allow an attacker to retrieve unfiltered data or cause query failures that disrupt application availability. The weakness is identified as CWE-624 and CWE-943.

Affected Systems

The vulnerability affects Spring Data MongoDB versions 3.4.0 through 3.4.19, 4.0.0 through 4.0.15, 4.1.0 through 4.1.14, 4.2.0 through 4.2.15, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium severity flaw, and the EPSS score is < 1%, indicating limited evidence of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires the attacker to supply a crafted regex string to a query that is annotated with @Query; no remote code execution is possible through this vector, but the attack can be performed from any code that can invoke the affected repository methods.

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Spring Data MongoDB release with the fix for regex binding validation
  • Validate or escape regex parameters in @Query annotations to prevent unauthorized characters
  • Verify query behavior in test environments to confirm that regex injection is mitigated

Generated by OpenCVE AI on June 29, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-624
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Data Mongodb
Vmware
Vmware spring Data Mongodb
Vendors & Products Spring
Spring spring Data Mongodb
Vmware
Vmware spring Data Mongodb

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Title Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Spring Spring Data Mongodb
Vmware Spring Data Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-10T17:53:14.235Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41696

cve-icon Vulnrichment

Updated: 2026-06-10T17:53:09.993Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T00:16:50.800

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-41696

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-09T23:47:37Z

Links: CVE-2026-41696 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-624

    Executable Regular Expression Error

  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic