Description
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator.

Affected versions:
Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE describes a SpEL injection flaw in Spring Data KeyValue, where unsanitized user input can be passed into a Sort parameter. When the repository query delegates evaluation to the SpelPropertyComparator, that input is interpreted as a Spring Expression Language expression. The flaw may allow an attacker to execute arbitrary code, read or modify data, or cause a denial of service. The weakness falls under CWE-917.

Affected Systems

The vulnerability affects Spring's Spring Data KeyValue and Spring Data Redis. All releases from 2.7.0 up to 4.0.5, inclusive, are vulnerable, as listed. Any deployment using these libraries without an upgrade to a fixed version is exposed.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate risk, though the lack of an EPSS score means no estimate of exploitation probability is available. It is not listed in the CISA KEV catalog. Attackers can supply a malicious sort parameter in an HTTP request or API call, which is typically possible over a public-facing endpoint. The potential for remote code execution or data tampering makes this a serious threat.

Generated by OpenCVE AI on June 10, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data KeyValue and Spring Data Redis to a fixed version, such as the next release after 4.0.5.
  • Validate or sanitize any user-supplied sort parameters before passing them to repository queries; reject or escape characters that can form SpEL expressions.
  • Limit the use of custom sorting to authenticated and authorized users, or disable sorting on publicly exposed endpoints.

Generated by OpenCVE AI on June 10, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41719 cve-icon cve-icon
History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Data Keyvalue
Spring spring Data Redis
Vendors & Products Spring
Spring spring Data Keyvalue
Spring spring Data Redis

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Title Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator
Weaknesses CWE-917
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Spring Spring Data Keyvalue Spring Data Redis
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-10T12:54:36.842Z

Reserved: 2026-04-22T06:21:37.021Z

Link: CVE-2026-41719

cve-icon Vulnrichment

Updated: 2026-06-10T12:54:29.966Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T00:16:51.800

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-41719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:40Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')