Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Unsafe deserialization in Spring for Apache Kafka header mappers

IdentifiersCVE-2026-41731CWE-502· Deserialization of Untrusted Data

CVE-2026-41731 is an unsafe deserialization vulnerability in Spring for Apache Kafka affecting JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper. The vulnerable logic matched header-declared types against trusted packages using a prefix check, so configuring trust for a package also implicitly trusted all of its subpackages. When this behavior is combined with Jackson's default bean deserialization, a malicious Kafka producer can send crafted header values that cause a consuming application to deserialize arbitrary JDK types. Spring notes that this can include classes whose constructors have side effects, such as allocating file descriptors or spawning thread pools. Affected versions are Spring for Apache Kafka 4.0.0 through 4.0.5, 3.3.0 through 3.3.15, 3.2.0 through 3.2.13, 2.9.0 through 2.9.13, and 2.8.0 through 2.8.11.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a malicious producer to influence Kafka consumers into deserializing arbitrary JDK types from crafted header values. Depending on the reachable classes and runtime environment, this can result in high-impact compromise, including unintended code paths, constructor side effects, resource exhaustion, integrity impact, and potential broader application compromise. The supplied context associates the issue with high confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by avoiding broad trusted-package configurations in Kafka header mapping, avoiding use of the deprecated DefaultKafkaHeaderMapper, and restricting or disabling risky deserialization behavior where feasible. However, the vendor guidance in the provided content indicates that upgrading is the primary and sufficient mitigation.

Remediation

Patch, then assume compromise.

Upgrade Spring for Apache Kafka to a fixed release in the relevant branch. The provided content identifies fixes as 4.0.6 for 4.0.x and 3.3.16 for 3.3.x, with commercial fixes listed as 4.0.5.1, 3.3.15.1, 3.2.14, 2.9.14, and 2.8.12 for other supported branches. Unsupported versions are also affected and should be upgraded to a supported fixed release. Spring states that no further remediation is necessary beyond upgrading.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomSpring For Apache Kafkaapplication
BroadcomSpring-Kafkaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
security online infoNews
Jun 11, 2026
Spring GraphQL Security Patches for Deserialization Flaws

An input validation defect in messaging components affecting header configuration handling, enabling arbitrary class execution through crafted headers.

Read more
cvefeed high severityNews
Jun 10, 2026
CVE-2026-41731 - In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

A deserialization-related vulnerability in Spring for Apache Kafka where trusted package checks used a prefix match in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper, allowing crafted header values to trigger deserialization of arbitrary JDK types.

Read more
springNews
Jun 9, 2026
CVE-2026-41731: In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization

A high-severity deserialization vulnerability in Spring for Apache Kafka caused by overly broad trusted-package matching in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper, allowing crafted headers to trigger deserialization of arbitrary JDK types with potentially dangerous side effects.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41731
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41731
MITRE CWE · CWE-502
Deserialization of Untrusted Data
spring.io
spring.io/security/cve-2026-41731