CVE 4.8 MEDIUM

Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern_CVE-2026-41697

June 9, 2026 invoker category_cve
4.8 / 10
MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Description

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference.

Affected versions:
Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.

Basic Information

ID CVE-2026-41697
Source vmware
Published Jun 9, 2026 at 23:47

Affected Product

Vendor Spring
Product Spring Data Relational
Version 4.0.0
Affected Versions Spring Spring Data Relational 4.0.0
Spring Spring Data Relational 3.5.0
Spring Spring Data Relational 3.4.0
Spring Spring Data Relational 3.3.0
Spring Spring Data Relational 3.2.0
Spring Spring Data Relational 3.1.0
Spring Spring Data Relational 3.0.0
Spring Spring Data Relational 2.4.0
Spring Spring Data JDBC 4.0.0
Spring Spring Data JDBC 3.5.0
Spring Spring Data JDBC 3.4.0
Spring Spring Data JDBC 3.3.0
Spring Spring Data JDBC 3.2.0
Spring Spring Data JDBC 3.1.0
Spring Spring Data JDBC 3.0.0
Spring Spring Data JDBC 2.4.0
Spring Spring Data R2DBC 4.0.0
Spring Spring Data R2DBC 3.5.0
Spring Spring Data R2DBC 3.4.0
Spring Spring Data R2DBC 3.3.0
Spring Spring Data R2DBC 3.2.0
Spring Spring Data R2DBC 3.1.0
Spring Spring Data R2DBC 3.0.0
Spring Spring Data R2DBC 1.5.0

CWE Classification

CWE-943

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.