CVE-2026-7045 - Vulnerability Details

Description

A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by this vulnerability is the function DsSpelExpressionProcessor#doDetermineDatasource of the file dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java of the component StandardEvaluationContext/SpelExpressionParser. This manipulation causes injection. The attack may be initiated remotely. Patch name: 273fcedaee984c08197c0890f14190b86ab7e0b8. It is recommended to apply a patch to fix this issue.

Published: 2026-04-26

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

baomidou

dynamic-datasource

affected

Version	Status	Constraints
`2.5.0`	affected	—

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/baomidou/dynamic-datasource/
https://github.com/baomidou/dynamic-datasource/commit/273fcedaee984c08197c0890f14190b86ab7e0b8
https://github.com/baomidou/dynamic-datasource/issues/766
https://github.com/baomidou/dynamic-datasource/pull/767
https://vuldb.com/submit/798600
https://vuldb.com/vuln/359624
https://vuldb.com/vuln/359624/cti

History

Sun, 26 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in baomidou dynamic-datasource 2.5.0. Affected by this vulnerability is the function DsSpelExpressionProcessor#doDetermineDatasource of the file dynamic-datasource-spring/src/main/java/com/baomidou/dynamic/datasource/processor/DsSpelExpressionProcessor.java of the component StandardEvaluationContext/SpelExpressionParser. This manipulation causes injection. The attack may be initiated remotely. Patch name: 273fcedaee984c08197c0890f14190b86ab7e0b8. It is recommended to apply a patch to fix this issue.
Title		baomidou dynamic-datasource StandardEvaluationContext/SpelExpressionParser DsSpelExpressionProcessor.java DsSpelExpressionProcessor#doDetermineDatasource injection
Weaknesses		CWE-707 CWE-74
References		https://github.com/baomidou/dynamic-datasource/ https://github.com/baomidou/dynamic-datasource/commit/273fcedaee984c08197c0890f14190b86ab7e0b8 https://github.com/baomidou/dynamic-datasource/issues/766 https://github.com/baomidou/dynamic-datasource/pull/767 https://vuldb.com/submit/798600 https://vuldb.com/vuln/359624 https://vuldb.com/vuln/359624/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T13:45:15.529Z

Updated: 2026-04-26T13:45:15.529Z

Reserved: 2026-04-25T16:10:12.081Z

Link: CVE-2026-7045

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object