HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41695Published Modified CNA vmware

CVE-2026-41695: Denial of Service in Spring Data Commons Property Path Resolution

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.4.15
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Spring Data Commons caused by unbounded resource exhaustion during property path resolution. An unauthenticated remote attacker can trigger it by sending crafted property path strings to any exposed endpoint that passes user input into MappingContext property path resolution, requiring no privileges or victim interaction. Successful exploitation exhausts server resources and crashes or hangs the affected service. A patched-image rebuild at versions 3.4.15, 3.5.12, and 4.0.6 is available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring Data Commons. Any image whose manifest or layer analysis identifies an affected version of Spring Data Commons (4.0.0-4.0.5, 3.5.0-3.5.11, or 3.4.0-3.4.14) is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), weighted against each customer environment's compliance policy to prioritize findings that breach defined thresholds. Routed alerts reach the inbox or ticketing integration configured for each customer org, so the right team sees the finding without manual filtering.

Available
Patch

A patched-image rebuild at Spring Data Commons 3.4.15, 3.5.12, or 4.0.6 becomes available in HarborGuard the moment the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable Spring Data Commons service over the network, as the CVSS vector specifies AV:N (network-adjacent access is not sufficient; the service must be reachable from wherever the attacker originates).

  • AuthenticationNot required

    No credentials or session token are needed; the CVSS vector specifies PR:N, meaning any unauthenticated request carrying a crafted property path string is sufficient.

  • Victim interactionNot required

    The exploit is fully server-side; no user action such as clicking a link or opening a file is required, as the CVSS vector specifies UI:N.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

  • The affected service exhausts CPU or memory (or both) while processing the crafted property path, causing it to become unresponsive or crash.
  • Dependent services or clients that rely on the Spring Data Commons endpoint lose connectivity for the duration of the resource exhaustion event.
  • No confidentiality or integrity impact is indicated; the attacker cannot read or modify data, only disrupt availability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected Spring Data Commons version, and a patched-image rebuild at 3.4.15, 3.5.12, or 4.0.6 (whichever matches the version branch in a given image) becomes available immediately upon upstream fix confirmation. For customers with auto-remediation enabled, the platform rebuilds the image, runs regression tests, and opens a pull request against affected workloads, targeting a median time from publication to merged PR of around 90 minutes for HIGH-severity findings. Where compliance policy does not permit auto-remediation, the finding appears in the vulnerability dashboard with remediation guidance pointing to the applicable fix version. Until a rebuild is applied, compensating controls worth considering include network-policy rules that restrict which clients can reach endpoints backed by Spring Data Commons property path resolution, and input-validation layers at the API gateway or application tier that reject or truncate unusually long or deeply nested property path strings.

See how HarborGuard automates this

Fix available

3.4.153.5.124.0.6
Affected packages
  • Spring / Spring Data Commons
    < 4.0.6 (from 4.0.0) · < 3.5.12 (from 3.5.0) · < 3.4.15 (from 3.4.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References