CVE-2026-41695 - Vulnerability Details

- Denial of Service in Spring Data Commons Property Path Resolution

Description

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution.

Affected versions:
Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.

Published: 2026-06-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Spring Data Commons resolves property paths supplied by applications. An attacker can supply a specially crafted property path that causes the resolution algorithm to consume excessive CPU or memory, leading to service slowdown or failure. The vulnerability enables a denial‑of‑service condition without requiring authentication or elevated privileges. The weakness is a classic resource‑exhaustion fault marked by CWE‑400.

Affected Systems

The flaw affects the Spring publisher’s Spring Data Commons library in multiple major releases, specifically versions 4.0.0‑4.0.5, 3.5.0‑3.5.11, and 3.4.0‑3.4.14. Applications built with any of these releases are at risk.

Risk and Exploitability

With a CVSS score of 7.5 the risk is considered high. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is through attacker‑controlled input—property path strings that an application processes during request handling. Because no authentication is required, any external request that reaches the vulnerable code can trigger the resource exhaustion. No public exploits have been confirmed, but the severity suggests the vulnerability could be actively targeted in a high‑traffic environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Spring

Spring Data Commons

unaffected

Version	Status	Constraints
`4.0.0`	affected	< 4.0.5.1
`3.5.0`	affected	< 3.5.11.1
`3.4.0`	affected	< 3.4.15

Configuration 1 [-]

OR	cpe:2.3:a:broadcom:spring_data_commons::::::::
	cpe:2.3:a:broadcom:spring_data_commons::::::::
	cpe:2.3:a:broadcom:spring_data_commons::::::::

No data.

Vendor Product Confidence Versions

Spring

Spring Data Commons

100%

Version	Status	Scheme	Platform
`[4.0.0,4.0.6)`	affected	semver	—
`[3.5.0,3.5.12)`	affected	semver	—
`[3.4.0,3.4.15)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest non‑affected release of Spring Data Commons (e.g., 4.0.6 or newer) as soon as possible.
Implement input validation on property path strings, rejecting or sanitizing paths that exceed a reasonable length.
If an immediate upgrade cannot be performed, limit the maximum size of request bodies or apply rate‑limiting to the affected endpoints to mitigate resource exhaustion.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00363.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://spring.io/security/cve-2026-41695

History

Tue, 16 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Broadcom Broadcom spring Data Commons
CPEs		cpe:2.3:a:broadcom:spring_data_commons::::::::
Vendors & Products		Broadcom Broadcom spring Data Commons

Wed, 10 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Spring Spring spring Data Commons
Vendors & Products		Spring Spring spring Data Commons

Wed, 10 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
Title		Denial of Service in Spring Data Commons Property Path Resolution
Weaknesses		CWE-400
References		https://spring.io/security/cve-2026-41695
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Broadcom Spring Data Commons

Spring Spring Data Commons

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2026-06-09T23:47:33.927Z

Updated: 2026-06-27T21:31:50.685Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41695

Vulnrichment

Updated: 2026-06-10T18:00:08.963Z

NVD

Status : Analyzed

Published: 2026-06-10T00:16:50.683

Modified: 2026-06-16T19:54:19.850

Link: CVE-2026-41695

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T11:21:51Z

Weaknesses

CWE-400
Uncontrolled Resource Consumption

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object