CVE-2026-41729: Spring Data REST SpEL Injection via JSON Patch Map Key

Vulnerability Overview CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch Severity: High Publication Date: June 9, 2026 Description: Spring Data REST is vulnerable to SpEL expression injection via Map attributes when processing JSON Patch ( ) requests. When a persisted entity exposes a -typed attribute, the JSON Pointer path segment is used as the map key and directly embedded into the SpEL expression without any sanitization or validation. An attacker can construct a map key segment to bypass expected indexer literals and evaluate arbitrary SpEL sub-expressions within the context of an aggregate root. Impact Scope Affected Spring Products and Versions: - Spring Data REST: - 3.7.0 - 3.7.19 - 4.3.0 - 4.3.16 - 4.4.0 - 4.4.14 - 4.5.0 - 4.5.11 - 5.0.0 - 5.0.5 Prerequisites: - The exposed aggregate or nested embedded type declares a -typed persisted attribute via the patch path. - The attacker is able to send a request to the project resource with (enabled by default; authentication requirements depend on the application's security configuration). Mitigation Mitigation: - Upgrade affected versions to the corresponding patched versions. Credit Reporter: Daehyun Kang (@daehyuh) Email: daehyuh@gmail.com References NVD CVSS Calculator History 2026-06-09: Initial vulnerability report published.

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-41729: Spring Data REST SpEL Injection via JSON Patch Map Key