VYPR
← All advisories
Medium severity4.8NVD Advisory· Published Jun 10, 2026

CVE-2026-41697

CVE-2026-41697

Description

Spring Data Relational allows boolean-based blind data inference via unescaped wildcard characters in Query By Example.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring Data Relational allows boolean-based blind data inference via unescaped wildcard characters in Query By Example.

Vulnerability

Spring Data Relational, JDBC, and R2DBC versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.0.14, 3.0.0 through 3.0.15, and 2.4.0 through 2.4.19 do not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE) [1].

Exploitation

An attacker can supply wildcard characters to perform boolean-based blind data inference if an application developer explicitly configures and exposes a QBE probe that accepts untrusted input [1]. This vulnerability is not exploitable by default and requires specific application configuration.

Impact

Successful exploitation allows an attacker to perform boolean-based blind data inference, enabling them to guess data within the queried entity [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Data Relational 4.0.6, 3.5.12, 3.4.15, 3.3.17, or 2.4.20. Corresponding fixes are also available for Spring Data JDBC and R2DBC [1].

References
  1. CVE-2026-41697: Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Spring Projects/Spring Data Relationalllm-create
    Range: 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, 2.4.0 through 2.4.19
  • Spring Projects/Spring Data JDBCllm-create
    Range: 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, 2.4.0 through 2.4.19
  • Spring Projects/Spring Data R2DBCllm-create
    Range: 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, 2.4.0 through 2.4.19

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1