DoS with crafted calls in Spring Cloud Sleuth 3.1.x (sleuth-instrumentation)
CVE-2026-41708 Published on June 15, 2026
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability
In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled.
Affected versions:
Spring Cloud Sleuth 3.1.0 through 3.1.13.
Vulnerability Analysis
CVE-2026-41708 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-41708 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-41708
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Cloud Sleuth:- Version 3.1.0 and below 3.1.14 is affected.