How is CVE-2026-41708 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends crafted HTTP or RPC requests from any remote location. Authentication (not-required): No account or credential is needed; the crafted requests can be sent by any unauthenticated caller. Victim interaction (not-required): No user action is required; the attacker triggers the vulnerability entirely through their own requests to the service. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies to satisfy.

What is the impact of CVE-2026-41708?

Crashes or hangs the affected Spring application, making it unable to serve legitimate traffic. Sustained request floods can keep the service down indefinitely, causing a full availability outage for dependent systems. No confidentiality or data-integrity impact is indicated; the attacker gains no read or write access to application data.

Back to search

HIGHCVE-2026-41708Published 2026-06-15Modified 2026-06-15CNA vmware

CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled. Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 3.1.14
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Spring Cloud Sleuth, specifically its Spring TX instrumentation component (org.springframework.cloud:spring-cloud-sleuth-instrumentation). The flaw is reachable over the network with no authentication required and no victim interaction needed. A remote attacker can send specially crafted requests that trigger the vulnerable code path and crash or render the affected service unavailable. A patched-image rebuild at version 3.1.14 is available on HarborGuard for environments running an affected version (3.1.0 through 3.1.13).

HarborGuard Coverage

Detection

Detection of CVE-2026-41708 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the affected spring-cloud-sleuth-instrumentation dependency.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights findings against each environment's compliance policy, routing alerts to the appropriate team inbox within the customer org based on service ownership and severity thresholds.

Available

Patch

A patched-image rebuild at Spring Cloud Sleuth 3.1.14 becomes available on HarborGuard for any image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted HTTP or RPC requests from any remote location.
AuthenticationNot required
No account or credential is needed; the crafted requests can be sent by any unauthenticated caller.
Victim interactionNot required
No user action is required; the attacker triggers the vulnerability entirely through their own requests to the service.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environmental dependencies to satisfy.

Blast Radius

Crashes or hangs the affected Spring application, making it unable to serve legitimate traffic.
Sustained request floods can keep the service down indefinitely, causing a full availability outage for dependent systems.
No confidentiality or data-integrity impact is indicated; the attacker gains no read or write access to application data.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing spring-cloud-sleuth-instrumentation between versions 3.1.0 and 3.1.13, across both registry scans and pipeline checks. A rebuild pinned to the fixed version 3.1.14 is made available automatically once the affected image is identified. For customers who have auto-remediation enabled, HarborGuard proceeds through rebuild, regression testing, and PR creation against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the rebuild artifact and a pre-filled remediation PR are queued and held for engineer review. Customers who cannot upgrade immediately should consider disabling Spring TX instrumentation via the Sleuth configuration flag (as noted in the upstream advisory) and applying network-policy controls to restrict the blast radius of any inbound request flooding.

See how HarborGuard automates this

Fix available

3.1.14

Affected packages

Spring / Spring Cloud Sleuth
< 3.1.14 (from 3.1.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available