CVE-2026-41710

Awaiting Analysis Awaiting Analysis - Queue

Stateful Retry Cache Exhaustion in Spring Retry

Publication date: 2026-06-09

Last updated on: 2026-06-23

Assigner: VMware

Description

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-23

Generated

2026-06-29

AI Q&A

2026-06-09

EPSS Evaluated

2026-06-28

NVD

CVE-2026-41710

EUVD

EUVD-2026-35321

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	spring_retry	From 2.0.0 (inc) to 2.0.12 (inc)
vmware	spring_retry	From 1.3.0 (inc) to 1.3.4 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-770	The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

Executive Summary

CVE-2026-41710 is a medium-severity vulnerability in Spring Retry versions 2.0.0 to 2.0.12 and 1.3.0 to 1.3.4. It occurs when an attacker sends a large number of unique requests that cause failures, which fill up the application-wide stateful retry cache.

Once this cache is full, it permanently rejects any further updates, causing all subsequent stateful retries and circuit breakers in the application to fail.

This vulnerability only affects applications that explicitly enable stateful retries using the @Retryable(stateful=true) annotation, where cache keys can be controlled by the attacker, such as when default key generators use attacker-provided method arguments.

Failed cache entries are only removed upon success or retry exhaustion, so failed requests that are abandoned remain in the cache indefinitely, leading to exhaustion.

Stateless retries, which are the default behavior, are not affected by this issue.

Impact Analysis

The vulnerability can cause denial of service conditions in applications using stateful retries by exhausting the retry cache.

When the cache is full, the application permanently rejects further updates to the retry cache, causing all later stateful retries and circuit breakers to fail.

This failure can disrupt normal application behavior, potentially leading to degraded service availability or unexpected application errors.

Detection Guidance

This vulnerability affects applications that explicitly enable stateful retries using @Retryable(stateful=true) with cache keys that can be controlled by an attacker. Detection involves monitoring for an unusually high number of unique failed retry requests that could exhaust the stateful retry cache.

Since the cache fills up and permanently rejects further updates, signs of the vulnerability include failure of subsequent stateful retries and circuit breakers in the application.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Spring Retry to the fixed versions: 2.0.13 for the 2.0.x line or 1.3.5 for the 1.3.x line. For Enterprise Support customers, version 2.0.12.1 or 1.3.5 are available.

Additionally, avoid enabling stateful retries with attacker-controlled cache keys or consider switching to stateless retries, which are not affected by this issue.

Hi! I’m here to help you understand CVE-2026-41710. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70