Heap Exhaustion via Cache Key Leak in Spring Data Commons (2.7.0-4.0.5)
CVE-2026-41716 Published on June 9, 2026
Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.
Affected versions:
Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Vulnerability Analysis
CVE-2026-41716 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-41716
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Data Commons:- Version 2.7.0 and below 2.7.20 is affected.
- Version 3.3.0 and below 3.3.17 is affected.
- Version 3.4.0 and below 3.4.15 is affected.
- Version 3.5.0 and below 3.5.12 is affected.
- Version 4.0.0 and below 4.0.6 is affected.