CVE Catalog

CVE-2026-41716

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Risk Assessment

An attacker can send multiple requests with unique crafted keys, causing uncontrolled cache growth and heap memory exhaustion, leading to denial of service (DoS).

Recommendation

Immediately upgrade Spring Data Commons to version 2.7.20, 3.3.17, 3.4.15, 3.5.12, or 4.0.6 depending on your branch, and restrict application access to trusted sources only.

Original NVD description (English source)

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS