CVE-2026-41697
Received Received - Intake
Boolean-Based Blind Injection in Spring Data Relational

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41697
EUVD
EUVD-2026-35893
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
spring data_relational From 2.4.0 (inc) to 4.0.5 (inc)
spring data_jdbc From 2.4.0 (inc) to 4.0.5 (inc)
spring data_r2dbc From 1.5.0 (inc) to 4.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41697 is a vulnerability in Spring Data Relational where externally-controlled input values are not properly escaped when using StringMatcher options (STARTING, ENDING, or CONTAINING) in Query By Example (QBE).

This improper escaping allows an attacker to supply wildcard characters that can be used to perform boolean-based blind data inference attacks, potentially revealing sensitive information.

However, the vulnerability is not exploitable by default and requires the application developer to explicitly configure and expose a QBE probe that accepts untrusted input.

Impact Analysis

If exploited, this vulnerability can allow an attacker to infer data from the system by using specially crafted input with wildcard characters.

This could lead to unauthorized disclosure of sensitive information through boolean-based blind data inference.

The impact includes limited confidentiality loss and some availability impact, as indicated by the CVSS score (Confidentiality: Low, Availability: Low).

Detection Guidance

This vulnerability occurs when an application explicitly configures and exposes a Query By Example (QBE) probe that accepts untrusted input using StringMatcher (STARTING, ENDING, or CONTAINING). Detection involves reviewing application code and configurations to identify such usage.

There are no specific network or system commands provided to detect this vulnerability automatically.

Mitigation Strategies

The primary mitigation step is to upgrade affected Spring Data Relational, Spring Data JDBC, or Spring Data R2DBC versions to the fixed releases.

  • Upgrade to Spring Data Relational versions 4.0.6, 3.5.12, 3.4.15, 3.3.17, or 2.4.20 depending on your branch.
  • Avoid exposing QBE probes that accept untrusted input using StringMatcher with wildcard characters.
Compliance Impact

The vulnerability allows attackers to perform boolean-based blind data inference by supplying wildcard characters to improperly escaped binding values in Query By Example (QBE). This could potentially lead to unauthorized access or inference of sensitive data.

Such unauthorized data inference may impact compliance with data protection regulations like GDPR or HIPAA, which require protection against unauthorized access and disclosure of personal or sensitive information.

However, the vulnerability is not exploitable by default and requires explicit configuration exposing a QBE probe to untrusted input, which may limit the risk in many deployments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41697. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart