CVE-2026-41710
Received Received - Intake
Stateful Retry Cache Exhaustion in Spring Retry

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41710
EUVD
EUVD-2026-35321
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vmware spring_retry From 2.0.0 (inc) to 2.0.12 (inc)
vmware spring_retry From 1.3.0 (inc) to 1.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41710 is a medium-severity vulnerability in Spring Retry versions 2.0.0 to 2.0.12 and 1.3.0 to 1.3.4. It occurs when an attacker sends a large number of unique requests that cause failures, which fill up the application-wide stateful retry cache.

Once this cache is full, it permanently rejects any further updates, causing all subsequent stateful retries and circuit breakers in the application to fail.

This vulnerability only affects applications that explicitly enable stateful retries using the @Retryable(stateful=true) annotation, where cache keys can be controlled by the attacker, such as when default key generators use attacker-provided method arguments.

Failed cache entries are only removed upon success or retry exhaustion, so failed requests that are abandoned remain in the cache indefinitely, leading to exhaustion.

Stateless retries, which are the default behavior, are not affected by this issue.

Impact Analysis

The vulnerability can cause denial of service conditions in applications using stateful retries by exhausting the retry cache.

When the cache is full, the application permanently rejects further updates to the retry cache, causing all later stateful retries and circuit breakers to fail.

This failure can disrupt normal application behavior, potentially leading to degraded service availability or unexpected application errors.

Detection Guidance

This vulnerability affects applications that explicitly enable stateful retries using @Retryable(stateful=true) with cache keys that can be controlled by an attacker. Detection involves monitoring for an unusually high number of unique failed retry requests that could exhaust the stateful retry cache.

Since the cache fills up and permanently rejects further updates, signs of the vulnerability include failure of subsequent stateful retries and circuit breakers in the application.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Spring Retry to the fixed versions: 2.0.13 for the 2.0.x line or 1.3.5 for the 1.3.x line. For Enterprise Support customers, version 2.0.12.1 or 1.3.5 are available.

Additionally, avoid enabling stateful retries with attacker-controlled cache keys or consider switching to stateless retries, which are not affected by this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart