CVE-2026-41727 is an improper input validation vulnerability (CWE-20) in Spring for Apache Kafka's retry topic infrastructure. The component fails to sufficiently validate user-controlled header values, specifically the retry_topic-attempts header. An attacker controlling a producer can craft this header with an out-of-range attempt count, leading the retry topic router to incorrectly determine the message's position in the retry sequence. This misidentification can disrupt message processing, resulting in denial of service or message loss. The vulnerability affects multiple versions of Spring for Apache Kafka from 2.8.0 through 4.0.5 as specified. There is no vendor advisory or patch information provided, and no known exploits in the wild have been reported.

The vulnerability impacts availability by causing the retry topic router to misroute or mishandle messages due to incorrect retry attempt counts. This can lead to message processing disruptions or denial of service conditions. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting producer permissions to trusted sources and monitor for anomalous retry_topic-attempts header values if possible. Avoid relying on untrusted producers to send retry topic headers. Follow vendor communications for updates on patches or official mitigations.