MEDIUM 4.8

CVE-2026-41697: Spring Data Relational Query By Example SQL Injection Vulnerability

Spring Data Relational, a widely-used Java framework for database access, contains a vulnerability in its Query By Example (QBE) feature. When developers use string matching options like STARTING, ENDING, or CONTAINING, the framework fails to properly escape wildcard characters from user-supplied input. An attacker can exploit this by injecting wildcard characters to perform boolean-based blind SQL inference attacks—essentially asking yes-or-no questions about the underlying database without directly viewing the data. The vulnerability affects multiple versions across 2.4, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, and 4.0 release lines.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Weaknesses (CWE)
CWE-943
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-27

NVD description (verbatim)

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

Spring Data Relational's Query By Example implementation does not sanitize wildcard characters in StringMatcher operations (STARTING, ENDING, CONTAINING). When these matchers are applied to user-controlled input, an attacker can inject SQL wildcards (typically %) or database-specific pattern characters to manipulate query logic. The resulting SQL queries leak information through response timing or record-count variations, enabling boolean-based blind data inference. This is classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), a subtype of SQL injection. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L) reflects network exploitability, high attack complexity (due to guessing requirements), low confidentiality impact, and low availability impact.

Business impact

Organizations using Spring Data Relational are exposed to data exfiltration risk if QBE with StringMatcher is used to query sensitive tables with user-supplied parameters. While the CVSS score is MEDIUM (4.8), the business impact depends on whether QBE is publicly exposed (e.g., in REST APIs or search features) and whether sensitive data is queryable. An attacker performing blind inference could slowly extract passwords, personally identifiable information, or business-critical values. Availability impact is also noted, suggesting potential for denial-of-service through resource-exhaustive queries. The likelihood of exploitation increases if your application treats user input as trusted for pattern matching.

Affected systems

All versions of Spring Data Relational from 2.4.0 through 4.0.5 are affected. Specifically: 2.4.0–2.4.19, 3.0.0–3.0.15, 3.1.0–3.1.14, 3.2.0–3.2.15, 3.3.0–3.3.16, 3.4.0–3.4.14, 3.5.0–3.5.11, and 4.0.0–4.0.5. Affected frameworks include Spring Data JDBC and Spring Data R2DBC (reactive). Any application linking these library versions and using Query By Example with STARTING, ENDING, or CONTAINING matchers on externally-controlled input is vulnerable. Check your build files (pom.xml, build.gradle) and dependency trees for these versions.

Exploitability

Exploitation requires network access and relatively high attack complexity due to the blind nature of the inference—attackers must guess values character-by-character and interpret subtle response differences. No public exploit code or proof-of-concept has been disclosed as of the publication date. The vulnerability is not on the CISA Known Exploited Vulnerabilities (KEV) catalog, and no evidence of active exploitation in the wild has been reported. However, the attack is feasible for determined adversaries with database schema knowledge, and tooling to automate blind SQL inference exists in the security community. Organizations should assume this may be exploited once patches are widely available or details become public.

Remediation

Upgrade Spring Data Relational to patched versions as soon as possible. Verify against the official Spring Data release notes for exact patch versions addressing CVE-2026-41697 for each minor/major release line. Until patching: (1) avoid using Query By Example with StringMatcher on untrusted user input; (2) implement input validation and allowlisting for pattern parameters; (3) use parameterized queries or prepared statements for all SQL operations; (4) apply principle of least privilege to database user accounts; (5) monitor query patterns for suspicious wildcard usage.

Patch guidance

Check the Spring Data release notes and security advisories at spring.io for patch versions corresponding to your version line. Patches are expected for all affected release trains (2.4, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, and 4.0). Test patched versions in a staging environment before production deployment to ensure compatibility with your application. Spring Data releases typically maintain backward compatibility within a major version, but verify before upgrading. If you are on extended support versions, confirm your support status and patch availability with your vendor.

Detection guidance

Monitor application logs for unusual patterns in Query By Example requests, particularly those with wildcard characters (% or _) in StringMatcher fields. Use static analysis tools (e.g., Checkmarx, SonarQube) to identify calls to Query By Example with user-supplied input. Network-based detection is difficult without database query logging. Enable SQL logging in your Spring Data configuration (spring.jpa.show-sql, spring.jpa.properties.hibernate.format_sql) and examine query patterns for injected wildcards. Watch for unusually frequent queries or high database CPU from inference-style attack patterns (e.g., many queries with LIKE clauses testing single characters).

Why prioritize this

Although the CVSS score is MEDIUM (4.8), this vulnerability warrants prompt attention because: (1) it affects a foundational framework used by many Java applications; (2) it enables direct data exfiltration without requiring code execution or privilege escalation; (3) patches exist and should be applied in your next maintenance window; (4) it is trivial to enable if QBE is exposed via REST APIs or user-facing search; (5) the attack, while blind, is fully automatable and does not require active exploitation tools—an attacker only needs HTTP access and patience. Prioritize if your application exposes QBE directly to end users; defer slightly if QBE is used only in internal services with limited user access.

Risk score, explained

The CVSS 3.1 score of 4.8 (MEDIUM) reflects: Network exploitability (AV:N), High attack complexity due to blind guessing (AC:H), no privileges or user interaction required (PR:N, UI:N), Unchanged scope (S:U), and Low impact to Confidentiality (C:L) and Availability (A:L). The score correctly downgrades severity because the attacker must guess values iteratively and the impact is constrained to information disclosure and minor availability disruption, not system compromise. However, in practice, the score may underestimate risk for applications exposing sensitive data or operating in high-stakes environments. Risk is substantially higher if QBE is user-facing and database contains PII, financial data, or trade secrets.

Frequently asked questions

Can we disable Query By Example to avoid this vulnerability?

Yes. If Query By Example is not essential to your application, removing it eliminates this attack surface entirely. Review your codebase for Repository interfaces extending QueryByExampleExecutor and refactor to explicit query methods (using @Query or repository method names). This is a safe short-term mitigation while you plan your upgrade.

Does this vulnerability apply if we only use exact matches (EXACT) or case-insensitive exact matches?

No. The vulnerability is specific to StringMatcher types STARTING, ENDING, and CONTAINING, which use LIKE-style pattern matching. EXACT matcher does not perform wildcard matching and is unaffected. If your application uses only EXACT matching, you are not exposed to this vulnerability.

Is there a workaround without upgrading?

Partial mitigations exist: (1) implement a whitelist of allowed characters for fields used in pattern matching and reject input containing %, _, or database-specific wildcards; (2) escape wildcard characters manually before passing to Query By Example (verify your database-specific escape syntax); (3) move pattern-matching logic outside the Query By Example layer to your application code, where you have full control over escaping. These workarounds reduce risk but do not fully eliminate it—upgrading to patched versions remains essential.

Does this affect Spring Data JPA, or only JDBC/R2DBC?

The advisory specifically names Spring Data Relational, JDBC, and R2DBC. Spring Data JPA may also be affected depending on whether it delegates to the vulnerable Relational layer. Check the official Spring Data security advisory and your project's dependency tree. If in doubt, apply the same testing and upgrade schedule.

This analysis is provided for informational purposes based on public vulnerability data current as of the publication date. CVSS scores, affected versions, and patch status are derived from official sources; verify patch version numbers and availability against the official Spring Data security advisory before deploying. No exploit code is provided or endorsed. Organizations are responsible for assessing risk in their specific environment and determining appropriate remediation timelines. This document does not constitute legal, compliance, or specific security advice; consult your security team and vendor documentation for your use case. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).