How is CVE-2026-41007 exploited?

Network reachability (required): The attacker must reach the Spring HATEOAS service over the network; the vulnerability is exposed on any network-accessible endpoint that processes attacker-supplied link relation strings. Authentication (not-required): No account or credentials are needed; the cache-flooding request can be submitted by any unauthenticated caller. Victim interaction (not-required): No user action is required; the attacker sends requests directly to the service without any social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-41007?

Exhausts JVM heap memory on the targeted service, forcing an out-of-memory crash or sustained garbage-collection pauses that make the service unavailable. Denial of service affects all users of the application instance, not just the attacker's own requests. No confidential data is read and no data is modified; impact is limited to availability.

Back to search

HIGHCVE-2026-41007Published 2026-06-09Modified 2026-06-09CNA vmware

CVE-2026-41007: Spring HATEOAS heap exhaustion through unbounded internal caching

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.5.7
Affected Products: 1

HarborGuard Analysis

Synopsis

Heap exhaustion vulnerability in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3. The library maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings; a remote, unauthenticated attacker can flood this cache over the network with no authentication required. Successful exploitation exhausts JVM heap memory, crashing or severely degrading the affected service. Patched-image rebuilds at versions 1.5.7, 2.3.5, 2.4.2, 2.5.3, and 3.0.4 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41007 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle Spring HATEOAS. Coverage extends to all affected version ranges regardless of whether the dependency is direct or transitive.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and is capable of weighting that score against each environment's compliance policy to prioritize alerting appropriately. Triage findings are routable to the team or inbox configured within each customer organization.

Available

Patch

A patched-image rebuild at the applicable fix version (1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4) becomes available on HarborGuard once the upstream fix is matched to an affected image. For customers who opt into auto-remediation, HarborGuard is capable of rebuilding the image, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Spring HATEOAS service over the network; the vulnerability is exposed on any network-accessible endpoint that processes attacker-supplied link relation strings.
AuthenticationNot required
No account or credentials are needed; the cache-flooding request can be submitted by any unauthenticated caller.
Victim interactionNot required
No user action is required; the attacker sends requests directly to the service without any social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

Exhausts JVM heap memory on the targeted service, forcing an out-of-memory crash or sustained garbage-collection pauses that make the service unavailable.
Denial of service affects all users of the application instance, not just the attacker's own requests.
No confidential data is read and no data is modified; impact is limited to availability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41007 is active across all customer image scans, matching affected Spring HATEOAS versions in both registry-stored and pipeline-built images. Where compliance policy permits, customers with auto-remediation enabled can have a rebuilt image at the appropriate fix version (1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4) generated, regression-tested, and delivered as a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams that prefer manual remediation, HarborGuard surfaces the specific fix version matched to each affected image, so engineers can target the smallest version bump that resolves the vulnerability. Until a rebuild is applied, compensating controls worth considering include network-policy restrictions that limit which clients can reach the affected endpoint and request-rate limiting at an ingress layer to slow cache growth.

See how HarborGuard automates this

Fix available

1.5.72.3.52.4.22.5.33.0.4

Affected packages

Spring / Spring HATEOAS
< 1.5.7 (from 1.5.0) · < 2.3.5 (from 2.3.0) · < 2.4.2 (from 2.4.0) · < 2.5.3 (from 2.5.0) · < 3.0.4 (from 3.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available