CVE-2026-41721

Vulnerability

Spring Data Commons versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.11, 3.4.0 through 3.4.14, 3.3.0 through 3.3.16, 3.2.0 through 3.2.15, 3.1.0 through 3.1.14, 3.0.0 through 3.0.15, and 2.7.0 through 2.7.19 are affected by a denial of service vulnerability. This issue can be triggered when Spring Data Web Support is enabled and a Controller method uses the @ProjectedPayload annotation.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to an application that meets the conditions described above. No specific privileges or user interaction are mentioned as required for exploitation, but the attack vector is network-based.

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. The application may crash or become unresponsive due to excessive memory allocation caused by the crafted request.

Mitigation

Users should upgrade to the following fixed versions: 4.0.6, 3.5.12, 3.4.15, 3.3.17, or 2.7.20, depending on the affected branch. Specific release dates for these versions are not yet disclosed in the available references [1].