View all Vulnerabilities

CVE-2026-41730

Information Exposure
Affects
Spring Data REST
in
Spring
No items found.
Versions
>=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data REST is a Spring Data module that automatically exports JPA, JDBC, MongoDB, and other Spring Data repositories as hypermedia-driven REST endpoints, turning repository methods into HTTP resources without hand-written controllers. When a request against one of those endpoints fails, Spring Data REST returns a JSON error body describing the failure so clients can react to it.

A medium-severity vulnerability (CVE-2026-41730) has been identified in Spring Data REST. The framework serializes the full exception cause chain into the HTTP error response body. The internal ExceptionMessage helper exposes a cause property that recursively wraps every nested Throwable, so the JSON returned to the client contains not just the top-level error message but each underlying cause in turn. For a repository backed by a relational (JDBC or JPA) store, the leaf causes of a failure are persistence-layer exceptions whose messages commonly embed SQL statement text, column and constraint names, driver error strings, and submitted values. An application that exposes such a repository through Spring Data REST without an additional error-handling configuration or a Spring Security access policy in front of the affected endpoints therefore leaks database internals to any client that can trigger a failing request, aiding reconnaissance of the schema and data model.

Per OWASP, improper error handling can disclose implementation details, such as stack traces, database dumps, and error codes, that are useful to an attacker because they reveal additional information that may otherwise be hidden, increasing the attacker's ability to compromise the system.

This issue affects >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data REST.

Details

Module Info

Vulnerability Info

Spring Data REST renders exceptions into JSON through the ExceptionMessage helper, which is constructed from the thrown Throwable and exposes two serialized properties: the message and the cause.

public class ExceptionMessage {

    private final Throwable throwable;

    public ExceptionMessage(Throwable throwable) {
        this.throwable = throwable;
    }

    @JsonProperty("message")
    public String getMessage() {
        return throwable.getMessage();
    }

    @JsonProperty("cause")
    public ExceptionMessage getCause() {
        return throwable.getCause() != null
            ? new ExceptionMessage(throwable.getCause())
            : null;
    }
}

Because getCause() is annotated @JsonProperty("cause") and recursively wraps each nested Throwable in another ExceptionMessage, Jackson walks and serializes the entire cause chain into the response body. The exception handlers that most often carry persistence internals, including those for DataIntegrityViolationException, OptimisticLockingFailureException, and ConversionFailedException, pass the raw exception straight into this helper. When the repository is backed by a relational store, the nested causes are JDBC or JPA exceptions whose messages contain SQL fragments, constraint and column names, and the offending values, all of which are then echoed verbatim to the HTTP client.

Exploitation requires no special tooling: any request that provokes a server-side failure, such as a write that violates a database constraint or a value that fails type conversion, returns the populated cause chain. If the affected endpoints are reachable without authentication, an unauthenticated remote client can probe them to map the schema and data model.

This vulnerability has been present since the earliest Spring Data REST releases (2013).

Mitigation

Spring Data REST versions 4.5.x and 5.0.x receive the fix in the open-source releases 4.5.12 and 5.0.6; versions 3.7.x, 4.3.x, and 4.4.x are past their open-source support window and have no publicly available fix. Users still running an affected open-source line that no longer receives free updates should not attempt to hand-patch the exception-handling internals.

To remediate this issue, affected users have two recommended options:

  1. Upgrade to a supported, fixed release of Spring Data REST.
  2. Adopt HeroDevs Never-Ending Support (NES) for Spring Data REST, which provides a drop-in compatible build with this vulnerability fixed for release lines that are otherwise end-of-life, with no code changes required. Learn more about HeroDevs Never-Ending Support for Spring Data REST and request coverage at https://www.herodevs.com/support/spring-nes

Credits

  • This issue was identified and resolved by the Spring Data team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41730
PROJECT Affected
Spring Data REST
Versions Affected
>=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
NES Versions Affected
Published date
June 16, 2026
≈ Fix date
June 16, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.