CVE-2026-41730

Vulnerability

Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 are vulnerable. This issue affects applications that expose a Spring Data REST repository backed by a relational (JDBC/JPA) store and do not have additional error-handling configuration or a Spring Security access policy preventing unauthenticated access to affected endpoints [1].

Exploitation

An attacker can exploit this vulnerability by sending a request to an affected endpoint. If an error occurs within the persistence layer, the full exception cause chain, which may contain sensitive details about the persistence-layer internals, will be serialized into the HTTP error response body. No specific authentication or user interaction is required for exploitation, provided the endpoint is accessible [1].

Impact

Successful exploitation of this vulnerability can lead to the disclosure of sensitive information related to the application's persistence layer. This information could potentially aid an attacker in understanding the internal structure of the application, which might be leveraged for further attacks. The scope of the compromise is limited to information disclosure [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6. Versions that are no longer supported are also affected. Specific release dates for these versions are not detailed in the provided references [1].