CVE-2026-41716

Summary

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

Affected Software

VendorProductVersion RangeStatus
SpringSpring Data Commons2.7.0 < 2.7.20affected
SpringSpring Data Commons3.3.0 < 3.3.17affected
SpringSpring Data Commons3.4.0 < 3.4.15affected
SpringSpring Data Commons3.5.0 < 3.5.11.1affected
SpringSpring Data Commons4.0.0 < 4.0.5.1affected

Weaknesses

  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References