CVE-2026-41732

Severity CVSS v4.0:
Pending analysis
Type:
CWE-502 Deserialization of Untrusted Dat
Publication date:
10/06/2026
Last modified:
27/06/2026

Description

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list.<br /> <br /> Affected versions:<br /> Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:vmware:spring_for_apache_pulsar:*:*:*:*:*:*:*:* 1.1.0 (including) 1.1.17 (including)
cpe:2.3:a:vmware:spring_for_apache_pulsar:*:*:*:*:*:*:*:* 1.2.0 (including) 1.2.17 (including)
cpe:2.3:a:vmware:spring_for_apache_pulsar:*:*:*:*:*:*:*:* 2.0.0 (including) 2.0.5 (including)


References to Advisories, Solutions, and Tools