VMware Spring Framework
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in VMware Spring Framework.
Recent VMware Spring Framework Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-12 | CVE-2026-47835 - High - CVE-2026-47835: Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores | June 12, 2026 |
| 2026-06-11 | CVE-2026-47825 - High - CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations | June 11, 2026 |
| 2026-06-11 | CVE-2026-41862 - High - CVE-2026-41862: Kryo deserialization of persisted context without class allowlist | June 11, 2026 |
| 2026-06-11 | CVE-2026-41708 - High - CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability | June 11, 2026 |
| 2026-06-10 | CVE-2026-41000 - Low - CVE-2026-41000: WSS4J validation does not use configured replay cache | June 10, 2026 |
| 2026-06-10 | CVE-2026-40999 - High - CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations | June 10, 2026 |
| 2026-06-10 | CVE-2026-40987 - High - CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization | June 10, 2026 |
| 2026-06-10 | CVE-2026-40995 - Medium - CVE-2026-40995: X.509 authentication bypasses Spring Security account checks | June 10, 2026 |
| 2026-06-10 | CVE-2026-40997 - Medium - CVE-2026-40997: SOAP security faults leak Spring Security account state | June 10, 2026 |
| 2026-06-10 | CVE-2026-40996 - Medium - CVE-2026-40996: Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default | June 10, 2026 |
EOL Dates
Ensure that you are using a supported version of VMware Spring Framework. Here are some end of life, and end of support dates for VMware Spring Framework.
| Release | EOL Date | End of Extended Support | Status |
|---|---|---|---|
| 7.0 | June 30, 2027 | June 30, 2028 |
Active
VMware Spring Framework 7.0 will become EOL next year, in June 2027. |
| 6.2 | June 30, 2026 | June 30, 2032 |
EOL This Year
VMware Spring Framework 6.2 will become EOL this year, in June 2026. |
| 6.1 | June 30, 2025 | June 30, 2026 |
EOL
VMware Spring Framework 6.1 became EOL in 2025 and the extended support period ends in 2026. |
| 6.0 | June 30, 2024 | August 31, 2025 |
EOL
VMware Spring Framework 6.0 became EOL in 2024 and the extended support period ended in 2025. |
| 5.3 | August 31, 2024 | June 30, 2029 |
EOL
VMware Spring Framework 5.3 became EOL in 2024 and the extended support period ends in 2029. |
| 5.2 | December 31, 2021 | December 31, 2023 |
EOL
VMware Spring Framework 5.2 became EOL in 2021 and the extended support period ended in 2023. |
| 5.1 | December 31, 2020 | December 31, 2022 |
EOL
VMware Spring Framework 5.1 became EOL in 2020 and the extended support period ended in 2022. |
| 5.0 | December 31, 2020 | - |
EOL
VMware Spring Framework 5.0 became EOL in 2020. |
| 4.3 | December 31, 2020 | - |
EOL
VMware Spring Framework 4.3 became EOL in 2020. |
| 3.2 | December 31, 2016 | - |
EOL
VMware Spring Framework 3.2 became EOL in 2016. |
Extended Support differs by vendor, and may cost additional fees. Check with VMware to see how they define extended support.
By the Year
In 2026 there have been 107 vulnerabilities in VMware Spring Framework with an average score of 6.6 out of ten. Last year, in 2025 Spring Framework had 6 security vulnerabilities published. That is, 101 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.29.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 107 | 6.59 |
| 2025 | 6 | 6.30 |
| 2024 | 6 | 6.40 |
| 2023 | 4 | 7.00 |
| 2022 | 6 | 6.28 |
| 2021 | 2 | 6.05 |
| 2020 | 4 | 7.28 |
| 2019 | 0 | 0.00 |
| 2018 | 11 | 7.61 |
It may take a day or so for new Spring Framework vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent VMware Spring Framework Security Vulnerabilities
Spring Statemachine Deserialization RCE via Unsecured Persistence 3.2-4.0
CVE-2026-41862
8.8 - High
- June 23, 2026
Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM. Affected versions: Spring Statemachine 4.0.0 through 4.0.1 Spring Statemachine 3.2.0 through 3.2.4
Marshaling, Unmarshaling
Spring Cloud Gateway XFF Header Forwarding Issue (3.1.13)
CVE-2026-47825
8.6 - High
- June 15, 2026
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
Origin Validation Error
DoS with crafted calls in Spring Cloud Sleuth 3.1.x (sleuth-instrumentation)
CVE-2026-41708
7.5 - High
- June 15, 2026
In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.
Resource Exhaustion
Spring AI Vector Store ES/OpenSearch/GemFire Query Injection v1.0.0-1.1.x (fixed 1.1.8)
CVE-2026-47835
8.6 - High
- June 15, 2026
In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).
Improper Neutralization of Special Elements in Data Query Logic
Spring GraphQL 1.02.0.3 Annotation Harness flaw: @Sec annotations ignored in C2 inheritance
CVE-2026-41856
7.5 - High
- June 11, 2026
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Authorization
Spring GraphQL WebSocket Hijacking (v1.02.0.3)
CVE-2026-41700
8.1 - High
- June 11, 2026
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Origin Validation Error
RCE via Unsafe Deserialization in Spring for GraphQL 1.32.0
CVE-2026-41699
8.1 - High
- June 11, 2026
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
Marshaling, Unmarshaling
Spring Boot Artemis DataDir Path Prediction 2.7.0-4.0.6 Local Attack
CVE-2026-41001
5.3 - Medium
- June 11, 2026
Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33.
Insecure Temporary File
Spring WS ReplayCache Wiring Flaw (5.0.x,4.1.x,4.0.x,3.1.x)
CVE-2026-41000
3.7 - Low
- June 11, 2026
Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Authentication Bypass by Capture-replay
Spring WS RCE via unsafe WS-Addressing ReplyTo/FaultTo (before 5.0.2)
CVE-2026-40999
8.6 - High
- June 11, 2026
When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
SSRF
Spring WS 3.15.0 XXE via XpathTemplate & default JDK XML Parser
CVE-2026-40998
8.2 - High
- June 11, 2026
Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
XXE
Spring WS 5.0.05.0.1 Detail Account State via Exception Messages in Spring Security
CVE-2026-40997
5.3 - Medium
- June 11, 2026
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Generation of Error Message Containing Sensitive Information
Spring Web Services 3.1.0-5.0.1 Insecure RSA PKCS#1 v1.5 Key Transport Default
CVE-2026-40996
4.8 - Medium
- June 11, 2026
Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Use of a Broken or Risky Cryptographic Algorithm
Spring Web Services 4.05.0 X509AuthProvider bypasses account state checks
CVE-2026-40995
5.4 - Medium
- June 11, 2026
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
authentification
Spring WS Vulnerable: Wss4jSI Bypass WSS4J BSP (5.0.0-5.0.1,4.1.0-4.1.3)
CVE-2026-40994
8.2 - High
- June 11, 2026
Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Insecure Default Initialization of Resource
Spring Boot Mail Auto-Config missing hostname verification (3.4-4.0)
CVE-2026-40992
5 - Medium
- June 11, 2026
Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16.
Improper Certificate Validation
Spring Integration 5.5.0-5.5.20 FTP/SFTP/SMB arbitrary file write
CVE-2026-40987
7.1 - High
- June 11, 2026
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Directory traversal
SPRING WEB FLOW JS RemotingHandler XSS via Error Rendering (<4.0.0, 3.0.0-3.0.1, 2.5.0-2.5.1)
CVE-2026-40986
4.8 - Medium
- June 11, 2026
Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
XSS
Spring Web Flow: EL Injection via WebFlowELExpressionParser (v4.0.0,3.x,2.x)
CVE-2026-40985
6.4 - Medium
- June 11, 2026
Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1.
EL Injection
Spring Security X.509 CN Mismatch: SubjectDnX509PrincipalExtractor (5.7-6.5)
CVE-2026-47838
6.8 - Medium
- June 09, 2026
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
authentification
SPRING DATA REST 3.x5.0.x Querydsl Path Traversal via ARB PROP Keys
CVE-2026-41837
5.3 - Medium
- June 09, 2026
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Authorization
Spring Pulsar JSON Header RCE: Trusted Package Prefix (2.0.5, 1.2.17, 1.1.17)
CVE-2026-41732
8.1 - High
- June 09, 2026
JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17.
Marshaling, Unmarshaling
Spring for Apache Kafka 4.0.5 JDK deserialisation via header mapping
CVE-2026-41731
8.1 - High
- June 09, 2026
JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Marshaling, Unmarshaling
Spring Data REST 3.7.05.0.5 exception cause chain leakage
CVE-2026-41730
5.3 - Medium
- June 09, 2026
Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Generation of Error Message Containing Sensitive Information
Spring Data REST 3.7.0-5.0.5 JSON Patch SpEL Injection via Map Keys
CVE-2026-41729
8.1 - High
- June 09, 2026
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
EL Injection
Spring Data REST JSON Patch WriteFilter Bypass 3.7-5.0.5
CVE-2026-41728
7.5 - High
- June 09, 2026
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Authorization
Spring Kafka 2.8-4.0.5 retry_topic header validation flaw
CVE-2026-41727
6.5 - Medium
- June 09, 2026
Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Improper Input Validation
Spring-Kafka 2.8.0-4.0.5 OOM via DelegatingDeserializer
CVE-2026-41726
6.5 - Medium
- June 09, 2026
When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11.
Allocation of Resources Without Limits or Throttling
Spring Data Commons DoS via @ProjectedPayload (4.0.5)
CVE-2026-41721
5.9 - Medium
- June 09, 2026
Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Resource Exhaustion
Spring Data KeyValue/Redis SpEL Injection via Sort (4.0.5)
CVE-2026-41719
6.4 - Medium
- June 09, 2026
A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
EL Injection
Spring Data MongoDB 5.0.5 SpEL Injection via @Query capture-all
CVE-2026-41717
8.1 - High
- June 09, 2026
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
EL Injection
Heap Exhaustion via Cache Key Leak in Spring Data Commons (2.7.0-4.0.5)
CVE-2026-41716
7.5 - High
- June 09, 2026
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Allocation of Resources Without Limits or Throttling
Spring AMQP TLS Bypass: AMQPS URI without SSL enabled (v2.4.04.0.3)
CVE-2026-41714
4 - Medium
- June 09, 2026
Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Improper Certificate Validation
Spring Data Commons DoS via StackOverflowException (Sort) v2.74.0.5
CVE-2026-41711
5.9 - Medium
- June 09, 2026
Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19.
Resource Exhaustion
Spring Security CookieRequestCache URL redirect without validation 5.7-7.0
CVE-2026-41706
6.1 - Medium
- June 09, 2026
Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Open Redirect
Spring AMQP 4.0.3 correlation ID predictability in sendAndReceive()
CVE-2026-41701
4.4 - Medium
- June 09, 2026
Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17.
Use of Insufficiently Random Values
Spring Data Relational QBE StringMatcher SQLi (4.0.x-3.0.x)
CVE-2026-41697
4.8 - Medium
- June 09, 2026
Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
Improper Neutralization of Special Elements in Data Query Logic
Spring Data MongoDB <=5.0.5 Regex Injection via @Query
CVE-2026-41696
5.9 - Medium
- June 09, 2026
Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Improper Neutralization of Special Elements in Data Query Logic
Spring Data Commons 3.4-4.0.5 DoS via Property Path Exhaustion
CVE-2026-41695
7.5 - High
- June 09, 2026
Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
Resource Exhaustion
Spring Security SAML Decryption Oracle (v5.7-7.0.5)
CVE-2026-41694
3.7 - Low
- June 09, 2026
Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Improper Verification of Cryptographic Signature
Spring Authorization Server <=7.0.5 Open Redirect via request_uri
CVE-2026-41008
6.1 - Medium
- June 09, 2026
Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.
Open Redirect
Spring Security 5.7-5.8,6.3-6.5,7.0 RelyingPartyRegistration XSS/Code Exec
CVE-2026-41003
7.6 - High
- June 09, 2026
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
XSS
Spring Security 7.0.0-7.0.5 - Stored Serialized Payload via JdbcAPMRepo
CVE-2026-40993
7.3 - High
- June 09, 2026
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
Marshaling, Unmarshaling
Spring REST Docs XXE via API Documentation Tests (v2.0.04.0.0)
CVE-2026-40991
5.9 - Medium
- June 09, 2026
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
XXE
Denial of Service in Spring Security SAML2-REDIRECT (5.7.07.0.5)
CVE-2026-40988
7.5 - High
- June 09, 2026
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
Resource Exhaustion
Unbounded Static Cache in Spring HATEOAS 1.5.03.0.3 (SLR)
CVE-2026-41007
7.5 - High
- June 09, 2026
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Allocation of Resources Without Limits or Throttling
Spring HATEOAS 1.5.x-3.0.x: Unsafe Bean Binding via Reflection (CVE-2026-41006)
CVE-2026-41006
7.5 - High
- June 09, 2026
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Authorization
Spring MVC/WebFlux /** Mapping 302 Redirect EIP (5.3-7.0)
CVE-2026-41844
4.2 - Medium
- June 09, 2026
A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Open Redirect
Spring Framework 5.3.x-7.0.x Static Resource Path Traversal
CVE-2026-41843
5.9 - Medium
- June 09, 2026
Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Directory traversal
Spring MVC/WebFlux Static Resource DoS 5.37.0.7
CVE-2026-41842
7.5 - High
- June 09, 2026
Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Resource Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for VMware Spring Framework or by VMware? Click the Watch button to subscribe.
