CVE-2026-41697

Awaiting Analysis Awaiting Analysis - Queue

Boolean-Based Blind Injection in Spring Data Relational

Publication date: 2026-06-10

Last updated on: 2026-06-27

Assigner: VMware

Description

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-27

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-41697

EUVD

EUVD-2026-35893

Affected Vendors & Products

Vendor	Product	Version / Range
spring	data_relational	From 2.4.0 (inc) to 4.0.5 (inc)
spring	data_jdbc	From 2.4.0 (inc) to 4.0.5 (inc)
spring	data_r2dbc	From 1.5.0 (inc) to 4.0.5 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-943	The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

Executive Summary

CVE-2026-41697 is a vulnerability in Spring Data Relational where externally-controlled input values are not properly escaped when using StringMatcher options (STARTING, ENDING, or CONTAINING) in Query By Example (QBE).

This improper escaping allows an attacker to supply wildcard characters that can be used to perform boolean-based blind data inference attacks, potentially revealing sensitive information.

However, the vulnerability is not exploitable by default and requires the application developer to explicitly configure and expose a QBE probe that accepts untrusted input.

Impact Analysis

If exploited, this vulnerability can allow an attacker to infer data from the system by using specially crafted input with wildcard characters.

This could lead to unauthorized disclosure of sensitive information through boolean-based blind data inference.

The impact includes limited confidentiality loss and some availability impact, as indicated by the CVSS score (Confidentiality: Low, Availability: Low).

Detection Guidance

This vulnerability occurs when an application explicitly configures and exposes a Query By Example (QBE) probe that accepts untrusted input using StringMatcher (STARTING, ENDING, or CONTAINING). Detection involves reviewing application code and configurations to identify such usage.

There are no specific network or system commands provided to detect this vulnerability automatically.

Compliance Impact

The vulnerability allows attackers to perform boolean-based blind data inference by supplying wildcard characters to improperly escaped binding values in Query By Example (QBE). This could potentially lead to unauthorized access or inference of sensitive data.

Such unauthorized data inference may impact compliance with data protection regulations like GDPR or HIPAA, which require protection against unauthorized access and disclosure of personal or sensitive information.

However, the vulnerability is not exploitable by default and requires explicit configuration exposing a QBE probe to untrusted input, which may limit the risk in many deployments.

Mitigation Strategies

The primary mitigation step is to upgrade affected Spring Data Relational, Spring Data JDBC, or Spring Data R2DBC versions to the fixed releases.

Upgrade to Spring Data Relational versions 4.0.6, 3.5.12, 3.4.15, 3.3.17, or 2.4.20 depending on your branch.
Avoid exposing QBE probes that accept untrusted input using StringMatcher with wildcard characters.

Hi! I’m here to help you understand CVE-2026-41697. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70