CVE-2026-41695

Vulnerability

Spring Data Commons applications are vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. This vulnerability affects Spring Data Commons versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, and 3.4.0 through 3.4.14. An application is vulnerable if attacker-controlled input is used as a property path string for path resolution, the consuming module or application exposes this resolution to untrusted callers (e.g., Spring Data REST), and the targeted domain types contain recursive or sufficiently deeply nested property graphs, or attackers can submit a large number of unique invalid paths [1].

Exploitation

An attacker can exploit this vulnerability by providing specially crafted, attacker-controlled input as a property path string for path resolution. This requires the consuming module or application to expose this resolution to untrusted callers, such as when using Spring Data REST. The vulnerability is triggered when the targeted domain types contain recursive or sufficiently deeply nested property graphs, or when attackers can submit a large number of unique invalid paths [1].

Impact

Successful exploitation of this vulnerability can lead to a denial of service through resource exhaustion. This means the application may become unresponsive or crash due to excessive resource consumption, preventing legitimate users from accessing the service. The scope of the impact is limited to the availability of the affected application [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Data Commons 4.0.6, 3.5.12, or 3.4.15. Version 3.4.15 is available for Enterprise Support Only. No other mitigation steps are necessary. The vulnerability was reported on 2026-06-09 [1].