|
Vulnerabilities
< Back

CVE-2026-41697

Updated on 09 Jun 2026

Severity

4.8 Medium severity

Details

CVSS score
4.8
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

Spring Data Relational does not properly escape binging values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE).

If an application actively wires externally-controlled input into a QBE probe, an attacker can supply wildcard characters to perform boolean-based blind data inference, allowing them to guess data within the queried entity.

This vulnerability is not exploitable by default. It requires the application developer to explicitly configure and expose a QBE probe that accepts untrusted input.

SVG ImageAffected Spring Products and Versions

Spring Data Relational:

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 2.4.0 - 2.4.19
  • older unsupported versions

Spring Data JDBC (through Spring Data Relational)

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 2.4.0 - 2.4.19
  • older unsupported versions

Spring Data R2DBC (through Spring Data Relational)

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 1.5.0 - 1.5.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only
3.3.x 3.3.17 Enterprise Support Only
2.4.x 2.4.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.

Details

Affected product:
Spring
Affected packages:
Spring Data @ 1.5.18 (+80 more)

SVG ImageDescription

Spring Data Relational does not properly escape binging values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE).

If an application actively wires externally-controlled input into a QBE probe, an attacker can supply wildcard characters to perform boolean-based blind data inference, allowing them to guess data within the queried entity.

This vulnerability is not exploitable by default. It requires the application developer to explicitly configure and expose a QBE probe that accepts untrusted input.

SVG ImageAffected Spring Products and Versions

Spring Data Relational:

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 2.4.0 - 2.4.19
  • older unsupported versions

Spring Data JDBC (through Spring Data Relational)

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 2.4.0 - 2.4.19
  • older unsupported versions

Spring Data R2DBC (through Spring Data Relational)

  • 4.0.0 - 4.0.5
  • 3.5.0 - 3.5.11
  • 3.4.0 - 3.4.14
  • 3.3.0 - 3.3.16
  • 3.2.0 - 3.2.15
  • 3.1.0 - 3.0.14
  • 3.0.0 - 3.0.15
  • 1.5.0 - 1.5.19
  • older unsupported versions

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
4.0.x 4.0.6 OSS
3.5.x 3.5.12 OSS
3.4.x 3.4.15 Enterprise Support Only
3.3.x 3.3.17 Enterprise Support Only
2.4.x 2.4.20 Enterprise Support Only

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.