CVE-2026-41695: Spring Data Commons Denial of Service via Property Path Exhaustion
Spring Data Commons, a widely-used Java framework component, contains a denial-of-service vulnerability in how it processes property path strings. An attacker can send specially crafted requests that cause the application to exhaust system resources (CPU, memory) during property resolution, making the service unavailable to legitimate users. This affects versions 3.4.0 through 3.4.14, 3.5.0 through 3.5.11, and 4.0.0 through 4.0.5.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the MappingContext property path resolution logic within Spring Data Commons. When attacker-controlled property path strings are passed to this resolution mechanism without adequate guards, they can trigger pathological computation patterns that consume excessive CPU and memory. The issue is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the absence of proper rate limiting or complexity bounds in the parsing logic. The attack requires no authentication or user interaction, making it trivial to exploit from the network.
Business impact
Applications built on vulnerable Spring Data Commons versions become susceptible to resource exhaustion attacks that degrade availability. For services relying on REST endpoints, GraphQL APIs, or query interfaces that expose property path filtering or querying, attackers can trigger denial of service without obtaining credentials or exploiting authentication mechanisms. This can impact SLA compliance, customer-facing uptime, and operational stability. Organizations running microservices architectures using Spring Data are particularly exposed, as a single vulnerable instance can be repeatedly targeted.
Affected systems
Any Java application or service that depends on Spring Data Commons versions 3.4.0–3.4.14, 3.5.0–3.5.11, or 4.0.0–4.0.5 is affected. This includes Spring Data JPA, Spring Data MongoDB, Spring Data REST, and other Spring Data implementation modules that pull in the commons library as a transitive dependency. Applications should audit their dependency trees (via Maven, Gradle, or similar build tooling) to identify whether they reference vulnerable versions. Indirect dependencies are particularly important to check.
Exploitability
This vulnerability requires minimal effort to exploit. An attacker needs only network access to send HTTP requests with malicious property paths to an exposed endpoint. No authentication, special privileges, or user interaction are required. The attack vector is straightforward: craft a request with a deeply nested or computationally expensive property path string and observe the system's response time degrade or the service become unavailable. This makes it attractive for automated scanning and opportunistic attacks. The CVSS score of 7.5 (HIGH) reflects the ease of exploitation and high availability impact, despite the absence of confidentiality or integrity consequences.
Remediation
Upgrade affected Spring Data Commons to patched versions immediately. Verify against the official Broadcom Spring Data advisory for exact patched version numbers for your minor version branch. After patching, rebuild and redeploy affected applications. If immediate patching is not feasible, implement network-level mitigations: rate limit incoming requests by source IP, implement request size limits on property path parameters, and monitor for unusual patterns in request latency or error rates. Apply these controls at API gateways, load balancers, or web application firewalls.
Patch guidance
Consult the Broadcom Spring Data Commons security advisory to determine the correct patched version for your currently deployed version line. Versions 3.4.x, 3.5.x, and 4.0.x may have different patch releases. Verify the patch version against the official vendor announcement. After applying patches, perform integration testing to confirm no regressions in property resolution or query functionality. If you use a dependency management tool (Maven BOM, Gradle platform), update the Spring Data version declaration and rebuild all dependent modules. Test in a staging environment before production rollout.
Detection guidance
Monitor application logs and metrics for signs of resource exhaustion: sustained high CPU usage, memory growth, or increased garbage collection frequency correlating with incoming requests. Log all property path strings submitted to query endpoints and analyze for unusual complexity, nesting depth, or repeated special characters. Implement alerting on response time degradation for query-related endpoints. Network-based detection can identify repeated requests with long or malformed property path parameters sent to vulnerable endpoints. Consider correlating such patterns with source IPs to identify scanning or attack campaigns. Baseline normal property path complexity in your environment and flag outliers.
Why prioritize this
This vulnerability warrants high priority remediation because exploitation is trivial, requires no authentication, and directly impacts service availability. The HIGH CVSS score, combined with the ubiquity of Spring Data in Java microservices architectures, means broad organizational exposure. Unlike vulnerabilities requiring specific configurations or user interaction, this is a straightforward resource exhaustion flaw that can be triggered on any exposed endpoint using Spring Data's property resolution. Delaying patches increases the window for automated exploitation during the vulnerability disclosure period.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects: (1) Network-accessible attack surface (AV:N), (2) Low complexity attack requiring no special conditions (AC:L), (3) No authentication required (PR:N), (4) No user interaction needed (UI:N), (5) Single-target scope (S:U), (6) No confidentiality or integrity impact (C:N, I:N), but (7) High availability impact from resource exhaustion (A:H). The absence of KEV status indicates this is not currently on CISA's Known Exploited Vulnerabilities catalog, but the simplicity of exploitation suggests proactive patching is critical before threat actors develop weaponized tooling.
Frequently asked questions
Do I need authentication credentials to exploit this vulnerability?
No. The vulnerability does not require authentication. Any attacker with network access to an endpoint that accepts property path parameters can craft a malicious request to trigger resource exhaustion.
What happens if we apply only partial mitigations like rate limiting without patching?
Rate limiting can reduce the immediate attack surface and slow exploitation, but it does not fix the underlying flaw. A patient attacker or determined adversary can still cause denial of service, albeit at a slower pace. Patching is the definitive remediation; mitigations buy time for patching and deployment.
How do I determine if my application uses the vulnerable Spring Data Commons versions?
Review your application's dependency tree using Maven (mvn dependency:tree) or Gradle (gradle dependencies). Look for spring-data-commons with version 3.4.0–3.4.14, 3.5.0–3.5.11, or 4.0.0–4.0.5. Check both direct and transitive dependencies, as Spring Data modules (JPA, MongoDB, etc.) often pull in commons automatically.
Are Spring Data REST endpoints the only attack surface?
No. Any application code that directly or indirectly uses MappingContext property path resolution with user-supplied input is vulnerable. This includes REST controllers accepting query filters, GraphQL resolvers, and custom repository implementations. Identify all endpoints or services that accept property path parameters and test them.
This analysis is based on the CVE record and vendor advisory information available as of the publication date. Specific patch version numbers, SLAs, and detailed remediation steps should be verified directly against the Broadcom Spring Data Commons security advisory and your organization's internal policies. This assessment does not constitute professional security advice tailored to your specific infrastructure; conduct a formal risk assessment in your environment before deciding on remediation timelines. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41711MEDIUMSpring Data Commons Stack Overflow DoS Vulnerability – Analysis & Patch Guidance
- CVE-2026-41721MEDIUMSpring Data Commons Memory Exhaustion DoS Vulnerability
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2025-52293HIGHGPAC MP4Box HEVC Parser Denial of Service (CVSS 7.5)
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-10143HIGHkafka-python SCRAM DoS – Event Loop Freeze Vulnerability
- CVE-2026-34713HIGHAdobe CAI Content Credentials Denial-of-Service Vulnerability
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability