Vulnerability Directory | CVE-2026-41697

Overview

Spring Data Relational is the Spring Data module that provides repository support, object mapping, and query abstractions for relational databases, and it underpins both Spring Data JDBC and Spring Data R2DBC. A medium-severity vulnerability (CVE-2026-41697) has been identified in Spring Data Relational where binding values are not properly escaped when a Query By Example (QBE) probe uses a StringMatcher of STARTING, ENDING, or CONTAINING. If an application wires externally controlled input into a QBE probe, an attacker can supply SQL LIKE wildcard characters to perform boolean-based blind data inference, allowing them to guess data within the queried entity. The vulnerability is not exploitable by default; it requires the application developer to explicitly configure and expose a QBE probe that accepts untrusted input.

Per OWASP, sensitive information disclosure occurs when an application allows an actor to access data they are not authorized to see. Here, unescaped wildcard metacharacters in a QBE LIKE pattern give the attacker a true/false oracle that can be used to infer the contents of the queried entity one boolean question at a time.

This issue affects versions >=2.2.0 <=2.2.12, >=2.4.0 <=2.4.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.12, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5 of Spring Data Relational.

‍

Details

Module Info

Product: Spring Data Relational
Affected packages: spring-data-relational, spring-data-jdbc, spring-data-r2dbc
Affected versions: >=2.2.0 <=2.2.12, >=2.4.0 <=2.4.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.12, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5
GitHub repository: https://github.com/spring-projects/spring-data-relational
Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-relational
Package manager: maven
Fixed in:
NES for Spring Data Relational
Spring Data Relational 4.0.6, 3.5.12 (OSS)

Vulnerability Info

Query By Example builds a query from a probe entity and an ExampleMatcher. When the matcher specifies a string-matching mode of STARTING, ENDING, or CONTAINING, Spring Data Relational maps the probe property to a SQL LIKE predicate.

In the affected versions, RelationalExampleMapper constructs the LIKE pattern by concatenating the probe value directly with the % wildcard, without escaping the value:

case ENDING:
    criteriaBasedOnProperties.add(includeNulls(example)
        ? Criteria.where(column).isNull().or(column).like("%" + convPropValue).ignoreCase(ignoreCase)
        : Criteria.where(column).like("%" + convPropValue).ignoreCase(ignoreCase));
    break;
case STARTING:
    criteriaBasedOnProperties.add(includeNulls(example)
        ? Criteria.where(column).isNull().or(column).like(convPropValue + "%").ignoreCase(ignoreCase)
        : Criteria.where(column).like(convPropValue + "%").ignoreCase(ignoreCase));
    break;
case CONTAINING:
    criteriaBasedOnProperties.add(includeNulls(example)
        ? Criteria.where(column).isNull().or(column).like("%" + convPropValue + "%").ignoreCase(ignoreCase)
        : Criteria.where(column).like("%" + convPropValue + "%").ignoreCase(ignoreCase));
    break;

Because convPropValue is inserted verbatim, any LIKE metacharacters it contains, namely % and _, are interpreted by the database as wildcards rather than as literal characters. An attacker who controls the probe value can inject these metacharacters to widen or shape the set of rows that match. By submitting crafted patterns and observing whether a query matches, the attacker obtains a true/false oracle and can iteratively infer the contents of columns in the queried entity. The bound value remains parameterized, so this is confined to wildcard smuggling within the LIKE operand and does not permit arbitrary SQL execution.

This vulnerability has been present since Query By Example support was introduced in Spring Data Relational 2.2.

‍

Mitigation

Spring Data Relational versions in the affected range that predate the open-source fixes are End-of-Life, and the older lines will not receive further public security updates. Applying private source patches is not recommended.

To remediate, HeroDevs recommends one of the following:

Upgrade to a supported fixed version of Spring Data Relational (4.0.6 or 3.5.12, both OSS).
For versions that are End-of-Life or otherwise without a public fix, adopt HeroDevs Never-Ending Support (NES) for Spring Data Relational, which provides a patched drop-in replacement. Learn more about HeroDevs Never-Ending Support for Spring Data Relational and request coverage at https://www.herodevs.com/support/spring-nes

‍

Credits

No public credit was listed in the Spring advisory at the time of publication.

Back to Directory

What is a HeroDevs Security Advisory?

Vulnerability Details

Severity

Medium

CVE-2026-41697

PROJECT Affected

Spring Data Relational

Versions Affected

>=2.2.0 <=2.2.12, >=2.4.0 <=2.4.19, >=3.0.0 <=3.0.15, >=3.1.0 <=3.1.12, >=3.2.0 <=3.2.15, >=3.3.0 <=3.3.16, >=3.4.0 <=3.4.14, >=3.5.0 <=3.5.11, >=4.0.0 <=4.0.5

NES Versions Affected

Published date

June 15, 2026

≈ Fix date