Description
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.

Affected versions:
Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE describes a SpEL injection flaw in Spring Data KeyValue, where unsanitized user input can be passed into a Sort parameter. When the repository query delegates evaluation to the SpelPropertyComparator, that input is interpreted as a Spring Expression Language expression. The flaw may allow an attacker to execute arbitrary code, read or modify data, or cause a denial of service. The weakness falls under CWE-917.

Affected Systems

The vulnerability affects Spring's Spring Data KeyValue and Spring Data Redis. All releases from 2.7.0 up to 4.0.5, inclusive, are vulnerable, as listed. Any deployment using these libraries without an upgrade to a fixed version is exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk, though the lack of an EPSS score means no estimate of exploitation probability is available. It is not listed in the CISA KEV catalog. Attackers can supply a malicious sort parameter in an HTTP request or API call, which is typically possible over a public-facing endpoint. The potential for remote code execution or data tampering makes this a serious threat.

Generated by OpenCVE AI on June 10, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data KeyValue and Spring Data Redis to a fixed version, such as the next release after 4.0.5.
  • Validate or sanitize any user-supplied sort parameters before passing them to repository queries; reject or escape characters that can form SpEL expressions.
  • Limit the use of custom sorting to authenticated and authorized users, or disable sorting on publicly exposed endpoints.

Generated by OpenCVE AI on June 10, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41719 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Title Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator
Weaknesses CWE-917
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:48:42.396Z

Reserved: 2026-04-22T06:21:37.021Z

Link: CVE-2026-41719

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:51.800

Modified: 2026-06-10T00:16:51.800

Link: CVE-2026-41719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses