CVE-2026-41696 - Vulnerability Details - OpenCVE

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://spring.io/security/cve-2026-41696

History

Wed, 10 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Title		Spring Data MongoDB Bind Parameter Literal Quoting Breakout
Weaknesses		CWE-943
References		https://spring.io/security/cve-2026-41696
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T23:47:37.883Z

Updated: 2026-06-09T23:47:37.883Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41696

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T00:16:50.800

Modified: 2026-06-10T00:16:50.800

Link: CVE-2026-41696

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41696", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-22T06:21:22.981Z", "datePublished": "2026-06-09T23:47:37.883Z", "dateUpdated": "2026-06-09T23:47:37.883Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-09T23:47:37.883Z"}, "title": "Spring Data MongoDB Bind Parameter Literal Quoting Breakout", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-943", "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An attacker who can supply a crafted string to a @Query regex binding can break out of literal quoting, potentially exposing unauthorized data or bypassing intended query filters."}]}], "affected": [{"vendor": "Spring", "product": "Spring Data MongoDB", "defaultStatus": "unaffected", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.0.6", "versionType": "custom"}, {"status": "affected", "version": "4.5.0", "lessThan": "4.5.12", "versionType": "custom"}, {"status": "affected", "version": "4.4.0", "lessThan": "4.4.15", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.17", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.16", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.15", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.16", "versionType": "custom"}, {"status": "affected", "version": "3.4.0", "lessThan": "3.4.20", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting.\n\nAffected versions:\nSpring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41696"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}