CVE-2026-41730
Received Received - Intake
Information Disclosure in Spring Data REST

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41730
EUVD
EUVD-2026-35907
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring_project spring_data_rest From 3.7.0 (inc) to 3.7.19 (inc)
spring_project spring_data_rest From 4.3.0 (inc) to 4.3.16 (inc)
spring_project spring_data_rest From 4.4.0 (inc) to 4.4.14 (inc)
spring_project spring_data_rest From 4.5.0 (inc) to 4.5.11 (inc)
spring_project spring_data_rest From 5.0.0 (inc) to 5.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41730 is a security vulnerability in Spring Data REST where the full exception cause chain is serialized into HTTP error response bodies.

This means that internal details of the persistence layer, such as JDBC or JPA internals, are exposed to HTTP clients when errors occur.

The issue affects applications using Spring Data REST repositories backed by relational databases, especially if they lack proper error-handling configurations or security policies to restrict unauthenticated access.

Impact Analysis

This vulnerability can lead to exposure of sensitive internal information about the persistence layer to unauthorized HTTP clients.

Such information disclosure can aid attackers in understanding the database structure or backend implementation, potentially facilitating further attacks.

Applications without proper error handling or security restrictions on vulnerable endpoints are particularly at risk.

Detection Guidance

This vulnerability can be detected by observing HTTP error response bodies from Spring Data REST endpoints for the presence of detailed exception cause chains that expose persistence-layer internals.

Specifically, you can monitor HTTP responses for error messages that reveal JDBC or JPA internal details.

While no explicit commands are provided, you can use tools like curl or wget to send requests to your Spring Data REST endpoints and inspect the error responses.

  • curl -i http://your-spring-data-rest-endpoint/resource-that-might-error
  • Look for HTTP error responses (e.g., 4xx or 5xx) containing detailed exception stack traces or persistence-layer information.
Mitigation Strategies

The primary mitigation step is to upgrade Spring Data REST to a fixed version that addresses this vulnerability.

  • Upgrade to Spring Data REST version 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6 depending on your current version.

Additionally, ensure proper error-handling configurations and security policies are in place to restrict unauthenticated access to vulnerable endpoints.

Compliance Impact

This vulnerability exposes internal persistence-layer details to HTTP clients by serializing the full exception cause chain in error responses. Such exposure of internal system information can increase the risk of data leakage or unauthorized access, which may conflict with compliance requirements under standards like GDPR and HIPAA that mandate protection of sensitive data and system confidentiality.

Applications using affected versions of Spring Data REST without proper error-handling or security policies may inadvertently disclose sensitive backend information, potentially violating data protection regulations that require minimizing information disclosure to unauthorized parties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart