Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41007

CVE-2026-41007: Spring HATEOAS Information Disclosure

CVE-2026-41007 is an information disclosure vulnerability in Spring HATEOAS caused by an unbounded static cache. Attackers can exploit this flaw to cause resource exhaustion. This article covers affected versions, impact, and mitigation.

Published:

CVE-2026-41007 Overview

CVE-2026-41007 is a denial of service vulnerability in Spring HATEOAS, the library that adds hypermedia support to Spring-based REST APIs. The framework maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Remote attackers can submit unique link relation values to grow the cache without limit, exhausting Java Virtual Machine (JVM) heap memory. The flaw is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling].

Critical Impact

Unauthenticated remote attackers can trigger memory exhaustion in any Spring HATEOAS application that exposes endpoints constructing LinkRelation objects from user input, leading to application crashes and service outages.

Affected Products

  • Spring HATEOAS 1.5.0 through 1.5.6
  • Spring HATEOAS 2.3.0 through 2.3.4, and 2.4.0 through 2.4.1
  • Spring HATEOAS 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3

Discovery Timeline

  • 2026-06-09 - CVE-2026-41007 published to the National Vulnerability Database (NVD)
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-41007

Vulnerability Analysis

Spring HATEOAS represents link relations using the LinkRelation interface, with StringLinkRelation as a common implementation. To reduce object allocation overhead, the library caches StringLinkRelation instances in a static map keyed by the relation string. The cache has no upper bound and no eviction policy.

When an application constructs LinkRelation values from request data such as headers, query parameters, or request bodies, each unique input creates a new cache entry. Entries persist for the lifetime of the JVM. An attacker who can submit arbitrary strings causes the cache to grow until the heap is exhausted and the process throws OutOfMemoryError.

Root Cause

The root cause is the absence of bounds and eviction on the static StringLinkRelation cache. Cache keys derive from untrusted input but the library treats them as a bounded set of well-known relation names. This assumption breaks any time application code routes user-controlled strings into LinkRelation.of(...) or equivalent factory methods.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker repeatedly invokes an endpoint that constructs link relations from input the attacker controls, varying the value on each request. Each request retains additional bytes in the heap. Sustained traffic drives the JVM into garbage collection thrashing and eventual termination.

No verified proof-of-concept code is publicly available. Technical details are documented in the Spring Security Advisory for CVE-2026-41007.

Detection Methods for CVE-2026-41007

Indicators of Compromise

  • Steady growth in JVM old-generation heap usage that does not recover after full garbage collection cycles.
  • Increasing OutOfMemoryError events or process restarts on services that use Spring HATEOAS.
  • High request volume to REST endpoints with unique, high-entropy values in fields used to build hypermedia link relations.

Detection Strategies

  • Take heap dumps from affected services and inspect retained StringLinkRelation instances and the static cache backing map for abnormal entry counts.
  • Inventory application code for calls to LinkRelation.of, IanaLinkRelations, or custom factories that accept request-derived strings.
  • Correlate web access logs with JVM memory metrics to identify clients sending many requests with varying parameters tied to link relation construction.

Monitoring Recommendations

  • Track JVM heap, garbage collection pause times, and process restarts for Spring HATEOAS services via Micrometer, Prometheus, or equivalent telemetry.
  • Alert on sustained per-client request rates against endpoints that emit HATEOAS links.
  • Centralize application and runtime logs so analysts can pivot from memory pressure to the originating HTTP traffic.

How to Mitigate CVE-2026-41007

Immediate Actions Required

  • Upgrade Spring HATEOAS to a fixed release as listed in the Spring Security Advisory.
  • Audit application code to ensure user-supplied strings are not passed directly to LinkRelation factory methods.
  • Place rate limits on REST endpoints that build hypermedia responses from request data.

Patch Information

VMware Spring has released fixed versions in the 1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x branches. Consult the Spring Security Advisory for CVE-2026-41007 for the exact patched version numbers and update the spring-hateoas dependency in Maven or Gradle build files accordingly.

Workarounds

  • Validate and constrain incoming values to an allowlist of known link relation names before passing them to Spring HATEOAS APIs.
  • Reject or normalize requests that contain unexpected characters or excessive length in fields used for link relations.
  • Deploy a web application firewall (WAF) rule to throttle clients submitting high-cardinality values to HATEOAS-backed endpoints until patching completes.
bash
# Configuration example: pin a patched Spring HATEOAS release in Maven
# Replace <FIXED_VERSION> with the patched version from the Spring advisory
mvn versions:use-dep-version \
  -Dincludes=org.springframework.hateoas:spring-hateoas \
  -DdepVersion=<FIXED_VERSION> \
  -DforceVersion=true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne