Description
Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution.

Affected versions:
Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data Commons resolves property paths supplied by applications. An attacker can supply a specially crafted property path that causes the resolution algorithm to consume excessive CPU or memory, leading to service slowdown or failure. The vulnerability enables a denial‑of‑service condition without requiring authentication or elevated privileges. The weakness is a classic resource‑exhaustion fault marked by CWE‑400.

Affected Systems

The flaw affects the Spring publisher’s Spring Data Commons library in multiple major releases, specifically versions 4.0.0‑4.0.5, 3.5.0‑3.5.11, and 3.4.0‑3.4.14. Applications built with any of these releases are at risk.

Risk and Exploitability

With a CVSS score of 7.5 the risk is considered high. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. The likely attack vector is through attacker‑controlled input—property path strings that an application processes during request handling. Because no authentication is required, any external request that reaches the vulnerable code can trigger the resource exhaustion. No public exploits have been confirmed, but the severity suggests the vulnerability could be actively targeted in a high‑traffic environment.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest non‑affected release of Spring Data Commons (e.g., 4.0.6 or newer) as soon as possible.
  • Implement input validation on property path strings, rejecting or sanitizing paths that exceed a reasonable length.
  • If an immediate upgrade cannot be performed, limit the maximum size of request bodies or apply rate‑limiting to the affected endpoints to mitigate resource exhaustion.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41695 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
Title Denial of Service in Spring Data Commons Property Path Resolution
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:47:33.927Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41695

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.683

Modified: 2026-06-10T00:16:50.683

Link: CVE-2026-41695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses