CVE-2026-41007— Spring HATEOAS heap exhaustion through unbounded internal caching
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 5
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring HATEOAS | 1.5.0< 1.5.7 | affected |
2.3.0< 2.3.5 | affected | ||
2.4.0< 2.4.2 | affected | ||
2.5.0< 2.5.3 | affected | ||
3.0.0< 3.0.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41007
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Spring HATEOAS heap exhaustion through unbounded internal caching
Source: NVD (National Vulnerability Database)
Vulnerability Description
Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
VMware Spring HATEOAS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
VMware Spring HATEOAS是美国威睿(VMware)公司的一个REST API超媒体开发框架。 VMware Spring HATEOAS 1.5.0至1.5.6版本、2.3.0至2.3.4版本、2.4.0至2.4.1版本、2.5.0至2.5.2版本和3.0.0至3.0.3版本存在安全漏洞,该漏洞源于维护一个无界静态缓存,可能导致攻击者利用提供的字符串进行攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring HATEOAS | 1.5.0 ~ 1.5.7 | - |
II. Public POCs for CVE-2026-41007
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41007
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41007 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
| CVE-2026-47838 | 6.8 MEDIUM | Unauthorized User Impersonation when Using X.509 Client Certificates |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same vendor: Spring
- CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability - CVE-2026-41700
Cross-Site WebSocket Hijacking in Spring for GraphQL
Same weakness: CWE-770
- CVE-2026-49337
libde265 has an unbounded memory leak via orphaned slice hea - CVE-2025-7737
DoS Vulnerability in 10G iSCSI Interface of Hitachi Virtual - CVE-2026-55205
Hermes WebUI < 0.51.468 - Resource Exhaustion via Unauthenti - CVE-2026-27869
WEB SERVICE (HTTP) DENIAL OF SERVICE VIA SLOW HEADERS ON REG - CVE-2026-48854
Unbounded request body accumulation causes memory exhaustion
V. Comments for CVE-2026-41007
No comments yet