Description
In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled.

Affected versions:
Spring Cloud Sleuth 3.1.0 through 3.1.13.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Affected Spring Cloud Sleuth users can supply specially crafted calls that trigger a denial-of-service condition, exhausting application resources. The flaw is a resource exhaustion weakness, matching CWE-400. The impact is loss of availability for the affected service, as the crafted requests can repeatedly drain memory or processing power, but there is no direct compromise of confidentiality or integrity indicated by the description.

Affected Systems

Spring Cloud Sleuth 3.1.0 through 3.1.13 on Spring frameworks where Spring TX instrumentation is enabled. These are the only combinations listed as vulnerable. No other vendors or products are mentioned.

Risk and Exploitability

The vulnerability is scored 7.5 on CVSS, indicating moderate to high severity. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in CISA KEV. The likely attack path involves an attacker sending crafted requests to the application's exposed endpoints while Spring TX instrumentation is active; from the description it appears to be a remote exploitation scenario, but it requires that the application is reachable and the instrumentation is not disabled.

Generated by OpenCVE AI on June 18, 2026 at 01:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a non‑vulnerable Spring Cloud Sleuth release (e.g., 3.1.14 or later).
  • If an upgrade cannot be performed immediately, disable Spring TX instrumentation in the application configuration to remove the code paths that can be exploited.
  • Monitor incoming traffic for repeated or malformed requests that could indicate an attempt to trigger the DoS condition and implement rate‑limiting or request validation as a countermeasure.

Generated by OpenCVE AI on June 18, 2026 at 01:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Cloud Sleuth
Vendors & Products Spring
Spring spring Cloud Sleuth

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.
Title Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Spring Spring Cloud Sleuth
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-15T20:06:25.691Z

Reserved: 2026-04-22T06:21:34.490Z

Link: CVE-2026-41708

cve-icon Vulnrichment

Updated: 2026-06-15T20:06:21.114Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T20:16:27.940

Modified: 2026-06-16T15:23:55.263

Link: CVE-2026-41708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:39:49Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption