PatchSiren cyber security CVE debrief
CVE-2026-41695 Spring CVE debrief
CVE-2026-41695 is a high-severity denial of service vulnerability in Spring Data Commons. Applications using affected versions may be vulnerable to resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. The affected versions include Spring Data Commons 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, and 3.4.0 through 3.4.14.
- Vendor
- Spring
- Product
- Spring Data Commons
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring Data Commons, particularly those using versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, and 3.4.0 through 3.4.14, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the lack of proper handling of attacker-controlled property path strings in MappingContext property path resolution. This can lead to resource exhaustion and denial of service.
Defensive priority
High
Recommended defensive actions
- Update to a non-vulnerable version of Spring Data Commons.
- Implement proper input validation and sanitization for property path strings.
Evidence notes
The CVE record and NVD detail provide evidence of the vulnerability and its affected versions.
Official resources
-
CVE-2026-41695 CVE record
CVE.org
-
CVE-2026-41695 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41695 was published on 2026-06-10T00:16:50.683Z and modified on 2026-06-10T19:24:04.320Z.