Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across Spring Framework, Spring Data Commons, and Spring LDAP, including a high-severity authentication bypass tracked as CVE-2026-41720. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use AbstractContextSource, LdapTemplate, or LdapClient. Spring also fixed a low-severity WebFlux session fixation issue (CVE-2026-41839) tied to compromised subdomains, and an information disclosure bug (CVE-2026-41841) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached.
Several denial-of-service issues were patched at the same time. In Spring Framework, CVE-2026-41840 can leak memory through malicious multipart requests in WebFlux, while CVE-2026-41842 can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, CVE-2026-41695, CVE-2026-41711, CVE-2026-41716, and CVE-2026-41721 can be triggered by attacker-controlled property paths, sort parameters, property names, or @ProjectedPayload data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework 7.0.8, 6.2.19, and 6.1.28, Data Commons 4.0.6 and 3.5.12, and LDAP 2.4.5, 3.2.18, 3.3.8, or 4.0.4, with some older branches receiving fixes only through commercial support.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Security Online reports three additional patched Spring Data vulnerabilities
Security Online reported three additional Spring Data flaws not captured in the existing timeline: CVE-2026-41729 and CVE-2026-41717, described as injection vulnerabilities that can lead to remote code execution, and CVE-2026-41728, which can bypass Jackson read-only property protections on nested objects. The report said Spring released patches and specifically directed Spring Data REST 4.5.x users to upgrade to version 4.5.12.
Security Online reports Spring patched multiple newly disclosed flaws
Security Online reported that multiple newly addressed Spring vulnerabilities had been patched, highlighting CVE-2026-41720 as the most critical and urging administrators to upgrade to Spring Framework 7.0.8, 6.2.19, or 6.1.28 and validate environments with regression testing. The article summarized the already disclosed issues affecting authentication, denial of service, information disclosure, and session fixation.
Spring discloses CVE-2026-41721 data binding DoS in Spring Data Commons
Spring disclosed CVE-2026-41721, a medium-severity denial-of-service vulnerability in Spring Data Commons where crafted HTTP requests can trigger excessive memory allocation when Spring Data Web Support and @ProjectedPayload are used. Spring advised users to upgrade to fixed releases such as 4.0.6 and 3.5.12.
Spring discloses CVE-2026-41716 negative-result cache DoS
Spring disclosed CVE-2026-41716, a high-severity denial-of-service vulnerability in Spring Data web support caused by an internal property-lookup cache that permanently retains attacker-supplied strings as keys, potentially leading to heap exhaustion. Spring said OSS fixes are available in 3.5.12 and 4.0.6, with commercial fixes for additional branches.
Spring discloses CVE-2026-41711 crafted Sort parameter DoS
Spring disclosed CVE-2026-41711, a medium-severity denial-of-service vulnerability in Spring Data Commons where crafted Sort parameters can trigger a StackOverflowException during parsing. Spring recommended upgrading to fixed releases and sanitizing untrusted sorting input.
Spring discloses CVE-2026-41695 property path resolution DoS
Spring disclosed CVE-2026-41695, a high-severity denial-of-service vulnerability in Spring Data Commons caused by resource exhaustion during MappingContext property path resolution when attacker-controlled property paths are exposed. Spring advised upgrading to fixed versions 4.0.6, 3.5.12, or 3.4.15.
Spring publishes CVE-2026-41842 slow-request DoS via versioned resources
Spring disclosed CVE-2026-41842, a high-severity denial-of-service flaw affecting Spring MVC and WebFlux applications serving file-system static resources with versioned resource support enabled. Malicious requests can be slow to resolve and tie up HTTP connections, and Spring recommended upgrading to fixed releases including 7.0.8, 6.2.19, 6.1.28, or 5.3.49.
Spring publishes CVE-2026-41841 static resource cache disclosure flaw
Spring disclosed CVE-2026-41841, an information disclosure vulnerability in Spring MVC and WebFlux that can expose protected resources when shared caches are used across differently protected resource handlers. Spring stated that upgrading to fixed releases is sufficient and no additional mitigation is necessary.
Spring publishes CVE-2026-41840 multipart-request DoS in WebFlux
Spring disclosed CVE-2026-41840, a medium-severity denial-of-service vulnerability in Spring Framework WebFlux where malicious multipart requests can leak memory and exhaust resources. Spring said affected users should upgrade to fixed releases such as 7.0.8 and 6.2.19.
Spring publishes CVE-2026-41839 session fixation issue in WebFlux
Spring disclosed CVE-2026-41839, a low-severity session fixation-related escalation issue affecting WebFlux applications with a compromised subdomain. The company advised customers to upgrade to fixed releases including 7.0.8 and 6.2.19.
Spring publishes CVE-2026-41720 authentication bypass in Spring LDAP
Spring disclosed CVE-2026-41720, a high-severity authentication bypass flaw in Spring LDAP where a valid username paired with an empty or null password can succeed on LDAP servers that permit unauthenticated binds. Spring recommended upgrading to fixed releases 2.4.5, 3.2.18, 3.3.8, or 4.0.4.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
Spring Data Vulnerabilities: Patch 5 Critical Flaws Now
securityonline.info
Open sourceSpring Framework Security Vulnerabilities Patched
securityonline.info
Open sourceCVE-2026-41711: Potential Denial of Service through crafted Sort Parameters
spring.io
Open sourceCVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names
spring.io
Open sourceCVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP
spring.io
Open sourceCVE-2026-41840: Spring Framework Denial of Service via Multipart Requests in WebFlux
spring.io
Open sourceCVE-2026-41842: Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux
spring.io
Open sourceCVE-2026-41841: Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux
spring.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for **Elasticsearch**, **Cassandra**, and **RabbitMQ** that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as `CVE-2026-40970`, `CVE-2026-40974`, and `CVE-2026-40971`, respectively, and could weaken certificate validation for connections to those backend services. A fourth advisory, `CVE-2026-40972`, affects **Spring DevTools** and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
May 24, 2026
Spring discloses Spring AI injection flaw and Spring gRPC security context issues
Spring published three security advisories covering **Spring AI** and **Spring gRPC**, including `CVE-2026-40967`, a flaw in VectorStore `FilterExpressionConverter` implementations that can let attackers manipulate generated vector store queries because keys and values are not properly escaped. The issue affects Spring AI versions `1.0.0` through `1.0.5` and `1.1.0` through `1.1.4`, and is fixed in `1.0.6` and `1.1.5`. External vulnerability tracking describes the bug as a high-severity code or query injection risk with CVSS `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L` and maps it to `CWE-94`. Spring also disclosed two **Spring gRPC** vulnerabilities: `CVE-2026-40968`, in which `SecurityContext` data can leak across requests after an authorization failure, and `CVE-2026-40969`, where an `AuthenticationException` message may be reflected back to a remote client. Together, the advisories point to risks of query manipulation, cross-request security context exposure, and unintended error-message disclosure in applications built on affected Spring components.
Apr 28, 2026