The flaw in Spring Data Relational lies in the handling of StringMatcher patterns within Query By Example. When an external value is bound to a LIKE clause that uses a STARTING, ENDING, or CONTAINING matcher, the framework fails to escape wildcard characters. An attacker who can influence this input can inject % or _ or other SQL LIKE metacharacters, turning the query into a Boolean-based blind inference vector that reveals the existence or absence of database rows without returning explicit data. This vulnerability is a form of insecure input handling (CWE‑943) and can leak sensitive information.

Affected versions include Spring Data JDBC, R2DBC, and Relational libraries from 2.4.0 up to 4.0.5 across the major releases 2.x through 4.x. The bug is present in the query engine component that constructs LIKE expressions and thus applies to any application that relies on Query By Example for data retrieval.

The CVSS score of 4.8 indicates moderate severity. EPSS data is not available, so the exploitation probability cannot be quantified. Based on the description, it is inferred that the vulnerability can be exploited without authentication if the attacker can provide malicious QBE input. The lack of a KEV listing suggests no large‑scale attacks have been documented, but Boolean-based inference attacks can be performed over repeated queries, making this risk realistic for exposed services.