Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41721: Spring Data Commons Denial of Service via Data Binding
Description
Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory.
Affected Spring Products and Versions
Spring Data Commons:
- 4.0.0 to 4.0.5
- 3.5.0 to 3.5.11
- 3.4.0 to 3.4.14
- 3.3.0 to 3.3.16
- 3.2.0 to 3.2.15
- 3.1.0 to 3.1.14
- 3.0.0 to 3.0.15
- 2.7.0 to 2.7.19
- older unsupported versions
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 4.0.x | 4.0.6 | OSS |
| 3.5.x | 3.5.12 | OSS |
| 3.4.x | 3.4.15 | Enterprise Support Only |
| 3.3.x | 3.3.17 | Enterprise Support Only |
| 2.7.x | 2.7.20 | Enterprise Support Only |
References
History
- 2026-06-09: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all