Description
Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.

Affected versions:
Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
Published: 2026-06-09
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Spring Data Relational lies in the handling of StringMatcher patterns within Query By Example. When an external value is bound to a LIKE clause that uses a STARTING, ENDING, or CONTAINING matcher, the framework fails to escape wildcard characters. An attacker who can influence this input can inject % or _ or other SQL LIKE metacharacters, turning the query into a Boolean-based blind inference vector that reveals the existence or absence of database rows without returning explicit data. This vulnerability is a form of insecure input handling (CWE‑943) and can leak sensitive information.

Affected Systems

Affected versions include Spring Data JDBC, R2DBC, and Relational libraries from 2.4.0 up to 4.0.5 across the major releases 2.x through 4.x. The bug is present in the query engine component that constructs LIKE expressions and thus applies to any application that relies on Query By Example for data retrieval.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS data is not available, so the exploitation probability cannot be quantified. Based on the description, it is inferred that the vulnerability can be exploited without authentication if the attacker can provide malicious QBE input. The lack of a KEV listing suggests no large‑scale attacks have been documented, but Boolean-based inference attacks can be performed over repeated queries, making this risk realistic for exposed services.

Generated by OpenCVE AI on June 10, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring Data JDBC, R2DBC, or Relational version 4.0.6 or later to apply the escape fix.
  • Configure the framework or database to escape wildcard characters in LIKE expressions when using StringMatcher or switch to a parameterized query that explicitly uses an escape clause.
  • Validate or sanitize all external input passed to StringMatcher before it reaches the query engine, rejecting or neutralizing any % or _ characters.

Generated by OpenCVE AI on June 10, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41697 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
Title Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern
Weaknesses CWE-943
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:47:42.091Z

Reserved: 2026-04-22T06:21:22.981Z

Link: CVE-2026-41697

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:50.947

Modified: 2026-06-10T00:16:50.947

Link: CVE-2026-41697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses