PatchSiren cyber security CVE debrief
CVE-2026-41007 Spring CVE debrief
CVE-2026-41007 is a high-severity vulnerability in Spring HATEOAS, a library for building RESTful web services. The vulnerability allows for a denial-of-service (DoS) attack due to an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings.
- Vendor
- Spring
- Product
- Spring HATEOAS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Users of Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3 should be aware of this vulnerability.
Technical summary
The vulnerability is caused by an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings in Spring HATEOAS. This can lead to a denial-of-service (DoS) attack.
Defensive priority
High
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring HATEOAS.
- Implement rate limiting or other traffic shaping measures to prevent abuse.
Evidence notes
The CVE-2026-41007 vulnerability was published on 2026-06-09T05:16:35.033Z and modified on 2026-06-11T16:58:43.700Z. The CVSS score is 7.5, and the severity is High.
Official resources
-
CVE-2026-41007 CVE record
CVE.org
-
CVE-2026-41007 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41007 was published on 2026-06-09T05:16:35.033Z and modified on 2026-06-11T16:58:43.700Z.