PatchSiren cyber security CVE debrief
CVE-2026-41716 Spring CVE debrief
CVE-2026-41716 is a high-severity vulnerability in Spring Data that allows for heap exhaustion through repeated requests. The vulnerability is caused by the internal property-lookup cache in Spring Data accepting and permanently retaining attacker-supplied strings as cache keys. This can lead to heap exhaustion, potentially causing a denial-of-service (DoS) attack.
- Vendor
- Spring
- Product
- Spring Data Commons
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Developers and administrators using affected versions of Spring Data should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability affects the following versions of Spring Data: 2.7.0 through 2.7.19, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5. The CVSS score for this vulnerability is 7.5, indicating a high severity.
Defensive priority
High
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Data.
- Implement rate limiting or other measures to prevent repeated requests.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].
Official resources
-
CVE-2026-41716 CVE record
CVE.org
-
CVE-2026-41716 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41716 was published on 2026-06-10T00:16:51.567Z and modified on 2026-06-10T19:24:04.320Z.