Description
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring for Apache Kafka fails to validate user-controlled retry_topic-attempts header values, allowing a producer to supply an out-of-range retry attempt count. The malformed header misleads the retry topic router into incorrectly determining a message's position in the retry sequence, potentially causing messages to be lost, misdelivered, or processed out of order. This flaw is a classic input validation weakness (CWE‑20).

Affected Systems

Spring for Apache Kafka versions 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11 are impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5 and is not listed in CISA KEV, with no EPSS value available. A likely attack vector is a client with permission to produce messages to Kafka; the attacker can craft a message containing a forged retry_topic-attempts header to subvert retry routing. Because the exploit requires only a producer role, it is executable by any entity able to send messages to the target Kafka cluster, making the risk moderate but operable in environments where producer access is not tightly constrained.

Generated by OpenCVE AI on June 10, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring for Apache Kafka to a version that includes the fixed retry topic validation logic (e.g., any release after the affected ranges listed).
  • If an immediate upgrade is not feasible, validate or reject retry_topic-attempts header values in the application layer before messages reach Kafka, ensuring they fall within the allowed range and preventing malformed retry sequences.
  • Configure monitoring to detect anomalous retry attempts or misrouted messages, enabling rapid incident response if the flaw is exploited.

Generated by OpenCVE AI on June 10, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41727 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Title In Spring for Apache Kafka, forged retry topic headers subvert retry routing and backoff behavior
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:49:10.215Z

Reserved: 2026-04-22T06:21:39.014Z

Link: CVE-2026-41727

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:52.143

Modified: 2026-06-10T00:16:52.143

Link: CVE-2026-41727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses