Spring Security Advisories

RSS feed

CVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names

HIGH | JUNE 09, 2026 | CVE-2026-41716

Description

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests.

Affected applications are those using Spring Data features that forward HTTP-supplied strings to PropertyPath.from without prior filtering, in particular Querydsl web bindings (via QuerydslPredicateArgumentResolver) with the default permit-all visibility, and @ProjectedPayload form-parameter binding (via MapDataBinder).

Affected Spring Products and Versions

Spring Data Commons (transitively affects all Spring Data store modules):

  • 2.7.0 - 2.7.19
  • 3.3.0 - 3.3.16
  • 3.4.0 - 3.4.14
  • 3.5.0 - 3.5.11
  • 4.0.0 - 4.0.5

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
2.7.x 2.7.20 Commercial
3.3.x 3.3.17 Commercial
3.4.x 3.4.15 Commercial
3.5.x 3.5.12 OSS
4.0.x 4.0.6 OSS

References

History

  • 2026-06-09: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all