CVE Catalog

CVE-2026-41696

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile - higher than 17% of all known CVEs

Summary

In Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding, there is insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.

Risk Assessment

Insufficient parameter validation may lead to unauthorized query execution, jeopardizing data integrity and application security.

Recommendation

It is recommended to upgrade to the latest version of Spring Data MongoDB to ensure proper regex parameter validation and minimize the risk of attacks.

Original NVD description (English source)

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS