Description
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.

Affected versions:
Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Published: 2026-06-09
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in JsonPulsarHeaderMapper causes any header type that matches a trusted package prefix to be accepted, so trusting a package implicitly trusts all of its subpackages. When the trusted-packages list is empty the mapper falls back to trusting every package. This behaviour allows JDK classes to be deserialized from incoming Pulsar messages, leading to code execution on the server. The weakness is a classic insecure deserialization flaw, identified as CWE-502.

Affected Systems

Spring:Spring for Apache Pulsar versions 1.1.0 through 1.1.17, 1.2.0 through 1.2.17, and 2.0.0 through 2.0.5 are impacted. Any deployment of these editions that has the trusted-packages configuration either set to include broad prefixes or left empty is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity for this vulnerability. No EPSS score is provided, indicating that publicly documented exploitation is not known at this time. It is also not listed in CISA's KEV catalog. Attackers could potentially craft Pulsar messages that include JDK class references; if the system’s trusted-packages setting is generous or unset, the deserialization routine will execute those classes, enabling remote code execution. Exploitation would require network access to the Pulsar endpoint and the ability to inject custom message headers.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring for Apache Pulsar to the latest release that contains the fixed JsonPulsarHeaderMapper logic.
  • Configure the trusted-packages property to a narrow, explicit allow‑list that excludes JDK packages, and do not leave the list empty.
  • Validate and sanitize incoming header values so that only known, safe types are processed before deserialization.

Generated by OpenCVE AI on June 10, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41732 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Title In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:49:31.164Z

Reserved: 2026-04-22T06:21:39.015Z

Link: CVE-2026-41732

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:52.720

Modified: 2026-06-10T00:16:52.720

Link: CVE-2026-41732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses