CVE-2026-41726 — In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, p

Description

When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.

How to fix CVE-2026-41726

To remediate CVE-2026-41726, upgrade the affected package to a fixed version below.

—upgrade to 4.0.6 or later

Is CVE-2026-41726 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-41726.

Affected packages (1)

>= 4.0.0, < 4.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41726
PATCHgithub.com/spring-projects/spring-kafka
WEBgithub.com/spring-projects/spring-kafka/commit/ca2337ba789c5778a10197bda17a62915247ff6c
WEBgithub.com/spring-projects/spring-kafka/issues/4489