Description
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring for Apache Kafka fails to validate user-controlled retry_topic-attempts header values, allowing a producer to supply an out-of-range retry attempt count. The malformed header misleads the retry topic router into incorrectly determining a message's position in the retry sequence, potentially causing messages to be lost, misdelivered, or processed out of order. This flaw is a classic input validation weakness (CWE‑20).

Affected Systems

Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 are impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5 and is not listed in CISA KEV, with no EPSS value available. A likely attack vector is a client with permission to produce messages to Kafka; the attacker can craft a message containing a forged retry_topic-attempts header to subvert retry routing. Because the exploit requires only a producer role, it is executable by any entity able to send messages to the target Kafka cluster, making the risk moderate but operable in environments where producer access is not tightly constrained.

Generated by OpenCVE AI on June 10, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring for Apache Kafka to a version that includes the fixed retry topic validation logic (e.g., any release after the affected ranges listed).
  • If an immediate upgrade is not feasible, validate or reject retry_topic-attempts header values in the application layer before messages reach Kafka, ensuring they fall within the allowed range and preventing malformed retry sequences.
  • Configure monitoring to detect anomalous retry attempts or misrouted messages, enabling rapid incident response if the flaw is exploited.

Generated by OpenCVE AI on June 10, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41727 cve-icon cve-icon
History

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring For Apache Kafka
Vmware
Vmware spring For Apache Kafka
Vendors & Products Spring
Spring spring For Apache Kafka
Vmware
Vmware spring For Apache Kafka

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Title In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring For Apache Kafka
Vmware Spring For Apache Kafka
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-27T21:15:43.681Z

Reserved: 2026-04-22T06:21:39.014Z

Link: CVE-2026-41727

cve-icon Vulnrichment

Updated: 2026-06-10T17:34:03.504Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T00:16:52.143

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-41727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:35Z

Weaknesses
  • CWE-20

    Improper Input Validation