CVE-2026-41696: Spring Data MongoDB SQLi Vulnerability

CVE-2026-41696 Overview

CVE-2026-41696 affects Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding. The framework performs insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting, enabling NoSQL injection against MongoDB queries. The flaw is classified under [CWE-943] Improper Neutralization of Special Elements in Data Query Logic.

Critical Impact

Attackers can manipulate MongoDB regex queries to retrieve unauthorized data from the backing database, leading to confidentiality loss in applications using vulnerable Spring Data MongoDB repositories.

Affected Products

• Spring Data MongoDB 5.0.0 through 5.0.5
• Spring Data MongoDB 4.5.0 through 4.5.11, 4.4.0 through 4.4.14, 4.3.0 through 4.3.16, 4.2.0 through 4.2.15, 4.1.0 through 4.1.14, 4.0.0 through 4.0.15
• Spring Data MongoDB 3.4.0 through 3.4.19

Discovery Timeline

• 2026-06-10 - CVE-2026-41696 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-41696

Vulnerability Analysis

The vulnerability resides in Spring Data MongoDB's handling of @Query-annotated repository methods that use regex parameter binding. When a repository method embeds a user-supplied value inside a regular expression pattern, the framework does not adequately escape regex metacharacters or pattern terminators. An attacker who controls the bound parameter can break out of the intended quoting context and inject arbitrary regex syntax into the underlying MongoDB query document.

Exploitation requires network-reachable application endpoints that pass attacker-controlled input to a vulnerable repository method. The attacker constructs input containing regex metacharacters, alternation, or pattern-closing sequences to alter query semantics. Successful injection lets the attacker match records outside the intended filter scope and extract data the application would not otherwise expose. The advisory indicates no integrity or availability impact, but confidentiality of data accessible to the affected query is at risk.

Root Cause

The root cause is improper neutralization of special characters used in regular expressions when binding parameters to @Query annotated methods. Input intended to be treated as a literal substring is concatenated into a regex without complete escaping, violating the contract between input data and query language semantics ([CWE-943]).

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a crafted parameter value to any application endpoint that forwards input to a vulnerable repository query. Attack complexity is high because the attacker must understand the target query structure and craft a regex payload that produces a useful information disclosure.

No verified public proof-of-concept code is available. Refer to the Spring Security Advisory CVE-2026-41696 for vendor-supplied technical context.

Detection Methods for CVE-2026-41696

Indicators of Compromise

• Unusual query parameter values containing regex metacharacters such as .*, |, \Q, \E, ^, $, or unbalanced parentheses in HTTP request logs.
• Application or MongoDB driver logs showing repository queries with malformed or unexpectedly broad regex patterns.
• Anomalous spikes in result set sizes returned by repository methods that normally produce narrow matches.

Detection Strategies

• Inventory Spring Data MongoDB usage and identify repository interfaces with @Query annotations that bind parameters into regex expressions.
• Enable MongoDB profiling or audit logging and alert on queries whose regex pattern length or complexity deviates from baseline.
• Review web application firewall logs for request parameters containing regex control characters delivered to endpoints that map to MongoDB-backed repositories.

Monitoring Recommendations

• Correlate inbound HTTP parameter values with outbound MongoDB query payloads to identify injection attempts in real time.
• Track query response volumes per endpoint and alert when responses exceed expected cardinality for a given user context.
• Monitor dependency manifests (pom.xml, build.gradle) in CI pipelines for vulnerable Spring Data MongoDB versions.

How to Mitigate CVE-2026-41696

Immediate Actions Required

• Upgrade Spring Data MongoDB to a fixed release line as indicated in the Spring Security Advisory CVE-2026-41696.
• Audit application code for @Query annotations that bind user input into regex patterns and validate that input is constrained to expected character classes.
• Apply strict server-side input validation rejecting regex metacharacters where literal string matching is intended.

Patch Information

Spring has published a security advisory for CVE-2026-41696. Consult the Spring Security Advisory CVE-2026-41696 for the fixed version numbers corresponding to each affected release branch (3.4.x, 4.0.x through 4.5.x, and 5.0.x) and apply the recommended upgrade.

Workarounds

• Replace regex parameter binding with exact-match query operators where the use case does not require pattern matching.
• Pre-escape user input using a regex quoting helper before passing it to repository methods that build regex queries, treating all metacharacters as literals.
• Apply allowlist validation on input destined for regex parameters, restricting characters to [A-Za-z0-9_-] or a similarly safe set.

# Example Maven dependency update - replace VERSION with the fixed release from the advisory
mvn versions:set-property -Dproperty=spring-data-mongodb.version -DnewVersion=VERSION
mvn clean verify