Description
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Published: 2026-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper of Spring for Apache Kafka. They match type headers against trusted packages using a simple prefix check, so trusting one package implicitly trusts all its subpackages. When combined with Jackson’s default bean deserialization, a producer can supply header values that trigger the consumer to deserialize arbitrary JDK types. Deserializing arbitrary Java objects can lead to remote code execution, data corruption, or denial of service.

Affected Systems

Spring for Apache Kafka versions 2.8.0 to 2.8.11, 2.9.0 to 2.9.13, 3.2.0 to 3.2.13, 3.3.0 to 3.3.15, and 4.0.0 to 4.0.5 are affected. The issue affects applications that use the default header mappers without restricting the trusted package list.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a malicious message producer that sends a crafted header in a Kafka message, causing a consumer to deserialize a chosen JDK class when the message is processed. The exploit requires network access to the Kafka cluster and the ability to produce messages to a topic that is consumed by an application using the default header mappers.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring for Apache Kafka 4.0.6 or later, which removes the vulnerable header mappers.
  • If an upgrade is not possible, restrict the trusted packages configuration to only the necessary lightweight packages and avoid using wildcard prefixes.
  • Disable DefaultKafkaHeaderMapper and JsonKafkaHeaderMapper from the consumer configuration, or replace them with a custom header mapper that does not allow deserialization of arbitrary types.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xq69-5h5v-x9x4 In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
History

Tue, 16 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring For Apache Kafka
Vmware
Vmware spring For Apache Kafka
Vendors & Products Spring
Spring spring For Apache Kafka
Vmware
Vmware spring For Apache Kafka

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Title In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spring Spring For Apache Kafka
Vmware Spring For Apache Kafka
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-30T12:08:45.738Z

Reserved: 2026-04-22T06:21:39.015Z

Link: CVE-2026-41731

cve-icon Vulnrichment

Updated: 2026-06-10T17:18:16.919Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T00:16:52.597

Modified: 2026-06-10T19:24:04.320

Link: CVE-2026-41731

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-09T23:49:26Z

Links: CVE-2026-41731 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:30Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data