{"id":"CVE-2026-41729","summary":"Spring Data REST SpEL Injection via Map Key in JSON Patch","details":"Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.","modified":"2026-07-08T08:13:13.454524298Z","published":"2026-06-09T23:49:17.014Z","database_specific":{"cwe_ids":["CWE-917"],"cna_assigner":"vmware","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"3.7.0"},{"fixed":"3.7.20"},{"introduced":"4.3.0"},{"fixed":"4.3.17"},{"introduced":"4.4.0"},{"fixed":"4.4.15"},{"introduced":"4.5.0"},{"fixed":"4.5.12"},{"introduced":"5.0.0"},{"fixed":"5.0.6"}]},{"source":"DESCRIPTION","extracted_events":[{"introduced":"3.7.0"},{"fixed":"3.7.19"},{"introduced":"4.3.0"},{"fixed":"4.3.16"},{"introduced":"4.4.0"},{"fixed":"4.4.14"},{"introduced":"4.5.0"},{"fixed":"4.5.11"},{"introduced":"5.0.0"},{"fixed":"5.0.5"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41729.json"},"references":[{"type":"WEB","url":"https://spring.io/security/cve-2026-41729"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41729.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41729"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-data-rest","events":[{"introduced":"63587e562e5e3b10e305dfd79d8b803b7e75f916"},{"last_affected":"e79c85ec1922fe04e52ec77c92ed2a8c8b97c7b7"},{"introduced":"0ae642131f36b87b9a46c568e53a7b56f99c72ff"},{"last_affected":"9c03c243bb3baf8edad8b300254d320934f78a40"}],"database_specific":{"cpe":"cpe:2.3:a:vmware:spring_data_rest:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"4.5.0"},{"last_affected":"4.5.11"},{"introduced":"5.0.0"},{"last_affected":"5.0.5"}]}}],"versions":["5.0.5","4.5.11","5.0.4","4.5.10","4.5.9","5.0.3","5.0.2","4.5.8","5.0.1","4.5.7","5.0.0","4.5.6","4.5.5","4.5.4","4.5.3","4.5.2","4.5.1","4.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41729.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}