Spring Security Advisories

RSS feed

CVE-2026-41730: Spring Data REST exposes persistence-layer internals in error responses

MEDIUM | JUNE 09, 2026 | CVE-2026-41730

Description

Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients.

Affected applications are those that expose a Spring Data REST repository backed by a relational (JDBC/JPA) store and do not apply additional error-handling configuration or a Spring Security access policy that prevents unauthenticated access to the affected endpoints.

Affected Spring Products and Versions

Spring Data REST:

  • 3.7.0 - 3.7.19
  • 4.3.0 - 4.3.16
  • 4.4.0 - 4.4.14
  • 4.5.0 - 4.5.11
  • 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
3.7.x 3.7.20 Commercial
4.3.x 4.3.17 Commercial
4.4.x 4.4.15 Commercial
4.5.x 4.5.12 OSS
5.0.x 5.0.6 OSS

References

History

  • 2026-06-09: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all