Description
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected versions:
Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data Commons contains an internal property‑lookup cache that accepts attacker‑supplied strings as cache keys. Because the cache can grow without bounds, an attacker can repeatedly issue requests with unique keys, causing the heap to grow until the application runs out of memory or crashes. This vulnerability corresponds to CWE‑770, a resource or capacity exhaustion weakness. The result is a denial‑of‑service condition that can affect application availability.

Affected Systems

The vendor and product affected are Spring Data Commons. The vulnerability exists in Spring Data Commons versions 2.7.0 through 2.7.19, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5. All distributions that include the Spring Data web support component in those ranges are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability, and the risk of exploitation is elevated when an attacker can send repeated requests to the vulnerable component. Although an EPSS score is not available, the absence of a KEV listing does not diminish the need to respond promptly. Because the cache is keyed on attacker‑supplied property names, the attack vector is inferred to be remote, through web requests to any endpoint that performs property lookup via the Spring Data web support. Successful exploitation requires no special authentication and simply sending a large number of unique property names, eventually exhausting heap space.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data Commons to the most recent release that includes the cache containment fix.
  • If upgrading immediately is not feasible, configure the application to limit the size of the property‑lookup cache or disable the caching mechanism entirely.
  • Implement rate limiting or traffic shaping on endpoints that trigger property lookup to prevent an attacker from generating a large number of unique cache keys.

Generated by OpenCVE AI on June 10, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41716 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Title Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:48:20.282Z

Reserved: 2026-04-22T06:21:37.020Z

Link: CVE-2026-41716

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:51.567

Modified: 2026-06-10T00:16:51.567

Link: CVE-2026-41716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses