Spring Retry 1.3.0-1.3.4/2.0.0-2.0.12: Stateful Retry Cache Capacity Exhaustion DoS
CVE-2026-41710 Published on June 9, 2026
Cache Exhaustion in Stateful Retries leads to Denial of Service
An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail.
Affected versions:
Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.
Vulnerability Analysis
CVE-2026-41710 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-41710
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Retry:- Version 2.0.0 and below 2.0.13 is affected.
- Version 1.3.0 and below 1.3.5 is affected.