Description
An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail.

Affected versions:
Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.
Published: 2026-06-09
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can send many distinct requests that trigger failures, filling the application‑wide, stateful retry cache. When the cache reaches capacity it irrevocably rejects further updates, causing all subsequent stateful retries and dependent circuit breakers to fail. As a result the application experiences denial of service, affecting reliability and availability of the affected services.

Affected Systems

The vulnerability affects Spring Retry 2.0.0 through 2.0.12 and 1.3.0 through 1.3.4. These versions are part of the Spring framework used by applications that implement stateful retry logic.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score is not available, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, but it can be exploited remotely by an attacker who can send crafted requests to any endpoint that activates stateful retries. Because the cache is application‑wide, a single attacker can throttle the entire application, making this a universal denial‑of‑service attack for systems using these Spring Retry versions.

Generated by OpenCVE AI on June 9, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Spring Retry to the latest release that includes the cache exhaustion fix.
  • If an upgrade is not immediately possible, configure a smaller maximum size for the stateful retry cache or disable stateful retry globally via application properties.
  • Monitor retry cache usage and latency; identify abnormal patterns of unique failing requests and block or rate‑limit potential attackers.

Generated by OpenCVE AI on June 9, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41710 cve-icon cve-icon
History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Retry
Vendors & Products Spring
Spring spring Retry

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.
Title Cache Exhaustion in Stateful Retries leads to Denial of Service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Spring Spring Retry
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T13:44:01.295Z

Reserved: 2026-04-22T06:21:34.490Z

Link: CVE-2026-41710

cve-icon Vulnrichment

Updated: 2026-06-09T13:43:58.061Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T05:16:35.147

Modified: 2026-06-09T13:49:39.993

Link: CVE-2026-41710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:55:49Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling