CVE-2026-41730

Awaiting Analysis Awaiting Analysis - Queue

Information Disclosure in Spring Data REST

Publication date: 2026-06-10

Last updated on: 2026-06-22

Assigner: VMware

Description

Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-22

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-41730

EUVD

EUVD-2026-35907

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	spring_data_rest	From 3.7.0 (inc) to 3.7.19 (inc)
vmware	spring_data_rest	From 4.3.0 (inc) to 4.3.16 (inc)
vmware	spring_data_rest	From 4.4.0 (inc) to 4.4.14 (inc)
vmware	spring_data_rest	From 4.5.0 (inc) to 4.5.11 (inc)
vmware	spring_data_rest	From 5.0.0 (inc) to 5.0.5 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-209	The product generates an error message that includes sensitive information about its environment, users, or associated data.

Attack-Flow Graph

Executive Summary

CVE-2026-41730 is a security vulnerability in Spring Data REST where the full exception cause chain is serialized into HTTP error response bodies.

This means that internal details of the persistence layer, such as JDBC or JPA internals, are exposed to HTTP clients when errors occur.

The issue affects applications using Spring Data REST repositories backed by relational databases, especially if they lack proper error-handling configurations or security policies to restrict unauthenticated access.

Compliance Impact

This vulnerability exposes internal persistence-layer details to HTTP clients by serializing the full exception cause chain in error responses. Such exposure of internal system information can increase the risk of data leakage or unauthorized access, which may conflict with compliance requirements under standards like GDPR and HIPAA that mandate protection of sensitive data and system confidentiality.

Applications using affected versions of Spring Data REST without proper error-handling or security policies may inadvertently disclose sensitive backend information, potentially violating data protection regulations that require minimizing information disclosure to unauthorized parties.

Impact Analysis

This vulnerability can lead to exposure of sensitive internal information about the persistence layer to unauthorized HTTP clients.

Such information disclosure can aid attackers in understanding the database structure or backend implementation, potentially facilitating further attacks.

Applications without proper error handling or security restrictions on vulnerable endpoints are particularly at risk.

Detection Guidance

This vulnerability can be detected by observing HTTP error response bodies from Spring Data REST endpoints for the presence of detailed exception cause chains that expose persistence-layer internals.

Specifically, you can monitor HTTP responses for error messages that reveal JDBC or JPA internal details.

While no explicit commands are provided, you can use tools like curl or wget to send requests to your Spring Data REST endpoints and inspect the error responses.

curl -i http://your-spring-data-rest-endpoint/resource-that-might-error
Look for HTTP error responses (e.g., 4xx or 5xx) containing detailed exception stack traces or persistence-layer information.

Mitigation Strategies

The primary mitigation step is to upgrade Spring Data REST to a fixed version that addresses this vulnerability.

Upgrade to Spring Data REST version 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6 depending on your current version.

Additionally, ensure proper error-handling configurations and security policies are in place to restrict unauthenticated access to vulnerable endpoints.

Hi! I’m here to help you understand CVE-2026-41730. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70