|
Vulnerabilities
< Back

CVE-2026-41696

Updated on 09 Jun 2026

Severity

5.9 Medium severity

Details

CVSS score
5.9
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding (e.g., @Query("{ name : /^\\Q?0\\E$/ }")) perform insufficient validation of the bound parameter.

An attacker can supply a crafted string to break out of the intended regular expression quoting. When the repository is exposed to untrusted sources (e.g. via spring-data-rest). This can lead to unauthorized data exposure or bypass of intended query filters.

SVG ImageAffected Spring Products and Versions

Spring Data MongoDB:

  • 5.0.0 to 5.0.5
  • 4.5.0 to 4.5.11
  • 4.4.0 to 4.4.14
  • 4.3.0 to 4.3.16
  • 4.2.0 to 4.2.15
  • 4.1.0 to 4.1.14
  • 4.0.0 to 4.0.15
  • 3.4.0 to 3.4.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
5.0.x 5.0.6 OSS
4.5.x 4.5.12 OSS
4.4.x 4.4.15 Enterprise Support Only
4.3.x 4.3.17 Enterprise Support Only
3.4.x 3.4.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.

Details

Affected product:
Spring
Affected packages:
Spring Data @ 3.4.18 (+78 more)

SVG ImageDescription

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding (e.g., @Query("{ name : /^\\Q?0\\E$/ }")) perform insufficient validation of the bound parameter.

An attacker can supply a crafted string to break out of the intended regular expression quoting. When the repository is exposed to untrusted sources (e.g. via spring-data-rest). This can lead to unauthorized data exposure or bypass of intended query filters.

SVG ImageAffected Spring Products and Versions

Spring Data MongoDB:

  • 5.0.0 to 5.0.5
  • 4.5.0 to 4.5.11
  • 4.4.0 to 4.4.14
  • 4.3.0 to 4.3.16
  • 4.2.0 to 4.2.15
  • 4.1.0 to 4.1.14
  • 4.0.0 to 4.0.15
  • 3.4.0 to 3.4.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
5.0.x 5.0.6 OSS
4.5.x 4.5.12 OSS
4.4.x 4.4.15 Enterprise Support Only
4.3.x 4.3.17 Enterprise Support Only
3.4.x 3.4.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.