High

Heap Exhaustion DoS in Spring Data Commons Property Lookup Cache

IdentifiersCVE-2026-41716CWE-400

CVE-2026-41716 is a high-severity denial-of-service vulnerability in Spring Data web support, rooted in Spring Data Commons. Spring Data's internal property-lookup cache accepts attacker-controlled property-name strings as cache keys and permanently retains negative lookup results, creating an unbounded cache growth condition. When applications pass unfiltered HTTP-supplied property names into property path resolution, including via PropertyPath.from, an attacker can send repeated requests containing unique malicious property-name strings and force continuous heap consumption. Documented exposed paths include Querydsl web bindings through QuerydslPredicateArgumentResolver, particularly with default permit-all visibility, and @ProjectedPayload form-parameter binding through MapDataBinder. The issue affects Spring Data Commons 2.7.0 through 2.7.19, 3.3.0 through 3.3.16, 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5; unsupported versions are also reported as affected transitively through Spring Data Commons.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to exhaust JVM heap memory by continuously populating the internal property-lookup cache with attacker-supplied unique strings. The practical result is denial of service: degraded performance, increased memory pressure, potential out-of-memory conditions, and application or service crashes. Available information indicates impact is limited to availability, with no stated direct confidentiality or integrity impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by preventing untrusted HTTP-supplied property names from reaching PropertyPath.from or related property-path resolution flows. Restrict or explicitly allowlist bindable/queryable property names in web binding layers, avoid default permit-all exposure in Querydsl web bindings, and review uses of QuerydslPredicateArgumentResolver and @ProjectedPayload/MapDataBinder paths that accept attacker-controlled property names. Operationally, apply request filtering/rate limiting and monitor JVM heap usage to detect exploitation attempts, but these are compensating controls and not a substitute for patching.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Spring Data Commons release for the affected branch. Reported fixes are 2.7.20, 3.3.17, 3.4.15, 3.5.12, and 4.0.6. OSS fixes are available for 3.5.12 and 4.0.6; 2.7.20, 3.3.17, and 3.4.15 are reported as commercial fixes. Also review transitive Spring Data dependencies because store modules inherit the issue through Spring Data Commons.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomSpring-Data-Commonsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

security online infoNews

Jun 11, 2026

Spring Data Vulnerabilities: Patch 5 Critical Flaws Now

A denial-of-service vulnerability in Spring Data caused by a property-lookup cache bug that can lead to continuous heap exhaustion via repeated malicious requests.

springNews

Jun 9, 2026

CVE-2026-41716: Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names

A high-severity denial-of-service vulnerability in Spring Data web support where attacker-controlled property names are permanently retained in an internal property-lookup cache, enabling heap exhaustion through repeated requests.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41716

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41716

MITRE CWE · CWE-400

cwe.mitre.org

Vendor Advisory

spring.io/security/cve-2026-41716