PatchSiren cyber security CVE debrief
CVE-2026-41697 Spring CVE debrief
CVE-2026-41697 is a vulnerability in Spring Data Relational that allows an attacker to perform boolean-based blind data inference by supplying wildcard characters. The vulnerability affects Spring Data Relational/JDBC/R2DBC versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.4.0 through 2.4.19.
- Vendor
- Spring
- Product
- Spring Data Relational
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected Spring Data Relational versions should update to a patched version to prevent potential data inference attacks.
Technical summary
The vulnerability occurs when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of Spring Data Relational: 4.0.6 or later, 3.5.12 or later, 3.4.15 or later, 3.3.17 or later, 3.2.16 or later, 3.1.15 or later, 3.0.16 or later, or 2.4.20 or later.
- Use a version of Spring Data Relational that is not vulnerable to this issue.
Evidence notes
The CVE-2026-41697 vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
Official resources
-
CVE-2026-41697 CVE record
CVE.org
-
CVE-2026-41697 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41697 was published on 2026-06-10T00:16:50.947Z and modified on 2026-06-10T19:24:04.320Z.