Bug 2487375 (CVE-2026-41731) - CVE-2026-41731 spring-kafka: Spring for Apache Kafka: Arbitrary code execution via insecure deserialization of crafted header values
Summary: CVE-2026-41731 spring-kafka: Spring for Apache Kafka: Arbitrary code executio...
Keywords:
Status: NEW
Alias: CVE-2026-41731
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-10 00:01 UTC by OSIDB Bzimport
Modified: 2026-06-16 11:23 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-10 00:01:45 UTC 
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types.

Affected versions:
Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Note You need to log in before you can comment on or make changes to this bug.