|
Vulnerabilities
< Back

CVE-2026-41716

Updated on 09 Jun 2026

Severity

7.5 High severity

Details

CVSS score
7.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

SVG ImageDescription

Spring Data’s internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected applications are those using Spring Data features that forward HTTP-supplied strings to PropertyPath.from without prior filtering, in particular Querydsl web bindings (via QuerydslPredicateArgumentResolver) with the default permit-all visibility, and @ProjectedPayload form-parameter binding (via MapDataBinder).

SVG ImageAffected Spring Products and Versions

Spring Data Commons (transitively affects all Spring Data store modules):

  • 2.7.0 - 2.7.19
  • 3.3.0 - 3.3.16
  • 3.4.0 - 3.4.14
  • 3.5.0 - 3.5.11
  • 4.0.0 - 4.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
2.7.x 2.7.20 Commercial
3.3.x 3.3.17 Commercial
3.4.x 3.4.15 Commercial
3.5.x 3.5.12 OSS
4.0.x 4.0.6 OSS

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.

Details

Affected product:
Spring
Affected packages:
Spring Data @ 2.4.18 (+158 more)

SVG ImageDescription

Spring Data’s internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected applications are those using Spring Data features that forward HTTP-supplied strings to PropertyPath.from without prior filtering, in particular Querydsl web bindings (via QuerydslPredicateArgumentResolver) with the default permit-all visibility, and @ProjectedPayload form-parameter binding (via MapDataBinder).

SVG ImageAffected Spring Products and Versions

Spring Data Commons (transitively affects all Spring Data store modules):

  • 2.7.0 - 2.7.19
  • 3.3.0 - 3.3.16
  • 3.4.0 - 3.4.14
  • 3.5.0 - 3.5.11
  • 4.0.0 - 4.0.5

Versions that are no longer supported are also affected.

SVG ImageMitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
2.7.x 2.7.20 Commercial
3.3.x 3.3.17 Commercial
3.4.x 3.4.15 Commercial
3.5.x 3.5.12 OSS
4.0.x 4.0.6 OSS

SVG ImageReferences

SVG ImageHistory

  • 2026-06-09: Initial vulnerability report published.