How is CVE-2026-41716 exploited?

Network reachability (required): The vulnerable cache endpoint is reachable over the network; an attacker must be able to send HTTP requests to the exposed Spring Data web layer. Authentication (not-required): No credentials or session token are needed; unauthenticated requests carrying arbitrary property-name strings are sufficient to populate the cache. Victim interaction (not-required): No user action is required; the attacker drives the attack entirely through their own requests to the service. Attack complexity (info): Exploitation is straightforward and condition-free; the attacker simply sends repeated requests with novel string keys and the cache grows without bound.

What is the impact of CVE-2026-41716?

The JVM heap fills as the cache grows, triggering out-of-memory errors and crashing the application process. All in-flight requests are dropped when the service goes down, causing a full denial of service for end users. Persistent heap pressure before a full crash causes severe latency degradation, making the application effectively unusable during the attack.

Back to search

HIGHCVE-2026-41716Published 2026-06-09Modified 2026-06-10CNA vmware

CVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names

Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 2.7.20
Affected Products: 1

HarborGuard Analysis

Synopsis

An unbounded cache-poisoning denial-of-service vulnerability affects Spring Data Commons. The affected component accepts attacker-supplied property-name strings as permanent cache keys over the network, requiring no authentication. Successful exploitation exhausts JVM heap memory, crashing or rendering the application unavailable. Patched-image rebuilds at versions 2.7.20, 3.3.17, 3.4.15, 3.5.12, and 4.0.6 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-41716 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built base images. Any image containing an affected Spring Data Commons version in the ranges listed will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Patched-image rebuilds pinned to the applicable fix version (2.7.20, 3.3.17, 3.4.15, 3.5.12, or 4.0.6) become available in HarborGuard the moment the upstream artifact is indexed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable cache endpoint is reachable over the network; an attacker must be able to send HTTP requests to the exposed Spring Data web layer.
AuthenticationNot required
No credentials or session token are needed; unauthenticated requests carrying arbitrary property-name strings are sufficient to populate the cache.
Victim interactionNot required
No user action is required; the attacker drives the attack entirely through their own requests to the service.
Attack complexityDetail
Exploitation is straightforward and condition-free; the attacker simply sends repeated requests with novel string keys and the cache grows without bound.

Blast Radius

The JVM heap fills as the cache grows, triggering out-of-memory errors and crashing the application process.
All in-flight requests are dropped when the service goes down, causing a full denial of service for end users.
Persistent heap pressure before a full crash causes severe latency degradation, making the application effectively unusable during the attack.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41716 is active across the scanning pipeline, matching any image that carries an affected Spring Data Commons version. For environments running a vulnerable version, rebuilt images at the appropriate fix version are available as soon as the upstream artifact is indexed. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with fix-version guidance so teams can act on their own schedule. As a compensating control while a rebuild is being prepared, consider applying network-policy rules that rate-limit or restrict unauthenticated access to the Spring Data web endpoints, reducing the attacker's ability to flood the property-lookup cache.

See how HarborGuard automates this

Fix available

2.7.203.3.173.4.153.5.124.0.6

Affected packages

Spring / Spring Data Commons
< 2.7.20 (from 2.7.0) · < 3.3.17 (from 3.3.0) · < 3.4.15 (from 3.4.0) · < 3.5.12 (from 3.5.0) · < 4.0.6 (from 4.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

spring.io

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available