CVE-2026-41716
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.
Risk Assessment
An attacker can send multiple requests with unique crafted keys, causing uncontrolled cache growth and heap memory exhaustion, leading to denial of service (DoS).
Recommendation
Immediately upgrade Spring Data Commons to version 2.7.20, 3.3.17, 3.4.15, 3.5.12, or 4.0.6 depending on your branch, and restrict application access to trusted sources only.
Original NVD description (English source)
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

