Description
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Published: 2026-06-09
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper of Spring for Apache Kafka. They match type headers against trusted packages using a simple prefix check, so trusting one package implicitly trusts all its subpackages. When combined with Jackson’s default bean deserialization, a producer can supply header values that trigger the consumer to deserialize arbitrary JDK types. Deserializing arbitrary Java objects can lead to remote code execution, data corruption, or denial of service.

Affected Systems

Spring for Apache Kafka versions 2.8.0 to 2.8.11, 2.9.0 to 2.9.13, 3.2.0 to 3.2.13, 3.3.0 to 3.3.15, and 4.0.0 to 4.0.5 are affected. The issue affects applications that use the default header mappers without restricting the trusted package list.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a malicious message producer that sends a crafted header in a Kafka message, causing a consumer to deserialize a chosen JDK class when the message is processed. The exploit requires network access to the Kafka cluster and the ability to produce messages to a topic that is consumed by an application using the default header mappers.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring for Apache Kafka 4.0.6 or later, which removes the vulnerable header mappers.
  • If an upgrade is not possible, restrict the trusted packages configuration to only the necessary lightweight packages and avoid using wildcard prefixes.
  • Disable DefaultKafkaHeaderMapper and JsonKafkaHeaderMapper from the consumer configuration, or replace them with a custom header mapper that does not allow deserialization of arbitrary types.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41731 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Title In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:49:26.535Z

Reserved: 2026-04-22T06:21:39.015Z

Link: CVE-2026-41731

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:52.597

Modified: 2026-06-10T00:16:52.597

Link: CVE-2026-41731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses