PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

Spring Framework URL Parsing with Host Validation (2nd report)

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the...

Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks...

Spring Tips: easy CQRS with Axon Framework

Hi, Spring fans! In this installment I'm joined by Axon Framework founder Allard Buijze and we look at the new integrations for Spring Boot developers in Axon Framework and AxonIQ Server. Special thanks to AxonIQ for the keynote video replay. Check out for more great stuff! java java21 axon...

A Bootiful Podcast: Trifork CTO Joris Kuipers

Hi, Spring fans! In this installment, Josh Long talks to longtime Spring community legend and Trifork CTO Joris Kuipers. Happy new year!...

A Bootiful Podcast: Microcks.io contributors Laurent Broudoux and Yacine-Kheddache

Hi, Spring fans! In this installment, I talk about the wide world of AI and then discuss microservice testing with Microcks.io contributors and founders Laurent Broudoux and Yacine-Kheddache. This was recorded live from Devoxx BE 2023!...

Spring Boot server Web Observations DoS Vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true:...

A Bootiful Podcast: Spring Security lead Rob Winch

Hi, Spring fans! Welcome to another installment of a Bootiful Podcast. In this interview, Josh Long @starbuxman talks to Spring Security legend and lead Rob Winch @robwinch, recorded live from SpringOne 2023!...

This Week in Spring - April 18th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I just returned from Western Europe for Devoxx FR Paris and Kotlin Conf Amsterdam. I went home, saw my family, did some laundry, and then turned right back around to head to Chicago, Illinois, for a special joint...

Security Bypass With Un-Prefixed Double Wildcard Pattern

Using "" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass...

A Bootiful Podcast: Spring Cloud Stream and Spring Cloud Function lead Oleg Zhurakousky

Hi Spring fans! Welcome to another installment of a bootiful podcast! in this installment, our pal Oleg Zhurakousky @zoleg, lead of Spring Cloud Stream and Spring Cloud Function, rejoins the show to talk about the latest and greatest in stream processing...

Interesting new filters on Spring Cloud Gateway 4.0

Spring Cloud Gateway 4.0 is finally here! Thanks to our community contributions we have introduced new features and interesting filters. This blog post details new noteworthy and explains some of the new filters included, how they work and how you can use it to provide more insights into your...

Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized. Specifically, an application is vulnerable when all of the...

XML External Entity Injection (XXE)

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Authorization Bypass During JWT Issuer Validation with spring-security

Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...

Cross Site Tracing (XST) with Spring Framework

Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request method to any HTTP method including TRACE using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS...

RCE in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code...

Data Binding Expression Vulnerability in Spring Web Flow

Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e. set to “false” can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data bindi...

Spring Security / MVC Path Matching Inconsistency

Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Securit...

XSS when using Spring MVC

When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form...

This Week in Spring - June 30th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring , a weekly recap in which we review the latest and greatest in the wide and wonderful world of Spring. You probably already knew this. I don't know if I needed to mention it. But I like to. I've been doing this every week,...

CVE-2026-41708: Spring Cloud Sleuth instrumentation of Spring TX DoS vulnerability

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true:...

CVE-2026-40998: Jaxp13 XPath XXE via StreamSource and SAXSource

Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK’s default DocumentBuilderFactory behavior instead of Spring’s hardened parser configuration. Applications that evaluate XPath against untrusted...

CVE-2026-41000: WSS4J validation does not use configured replay cache

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. More precisely, an application is vulnerable when all the following are true: When all the conditions above are met, an attacker can trick an authenticated user into visitin...

CVE-2026-41714: In Spring AMQP the `RabbitConnectionFactoryBean.setUri("amqps://...")` bypasses secure SSL setup, uses `TrustEverythingTrustManager`

Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri"amqps://..." without also calling setUseSSLtrue get TLS encryption with no certificate validation and no hostname verification...

CVE-2026-41729: Spring Data REST SpEL Injection via Map Key in JSON Patch

Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch application/json-patch+json requests. When a persistent entity exposes a Map -typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL...

CVE-2026-41701: In Spring AMQP sequential correlation IDs enable reply poisoning on fixed reply queues

Correlation IDs for replies in the RabbitTemplate.sendAndReceive with the fixed reply queue are predictable due to internal simple counter...

CVE-2026-41695: Denial of Service in Spring Data Commons Property Path Resolution

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Specifically, an application is vulnerable when all of the following are true: Spring Data...

CVE-2026-41717: Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding

Spring Data MongoDB contains a SpEL Spring Expression Language expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. The application is vulnerable if all conditions...

CVE-2026-41721: Spring Data Commons Denial of Service via Data Binding

Spring Data Commons contains a vulnerability that can lead to a Denial of Service DoS condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload , when an attacker sends a specially crafted HTTP request that causes the application to allocate...

CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

Spring Data REST's JSON Patch application/json-patch+json implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected applications are those whose domain model includes an embeddable object, collection, or map property...

CVE-2026-41732: In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization

JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default...

CVE-2026-41719: Spring Data KeyValue - SpEL Injection vulnerability in SpelPropertyComparator

A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator . The application is vulnerable if all conditions below are true:...

CVE-2026-41697: Spring Data Relational Parameter not Escaped for Query By Example LIKE Pattern

Spring Data Relational does not properly escape binging values of externally-controlled input when using StringMatcher STARTING, ENDING, or CONTAINING in Query By Example QBE. If an application actively wires externally-controlled input into a QBE probe, an attacker can supply wildcard characters...

CVE-2026-40988: Unbounded DEFLATE Inflation in SAML 2.0 Service Provider

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory...

CVE-2026-41720: Authentication Bypass with Empty Password in Spring LDAP

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. RFC 4513 Section 5.1.2 defines this as an unauthenticated bind. On LDAP servers that permit such binds, an attacker with a valid usernam...

CVE-2026-41710: Cache Exhaustion in Stateful Retries leads to Denial of Service

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to...

Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected applications are those that have enabled the...

CVE-2026-41841: Spring Framework Information Disclosure via Static Resource Cache in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: When all the conditions above are met, an attacker can get access to a protected resource if a...

CVE-2026-41842: Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Denial of Service DoS attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: When all the conditions above are met, an attacker can send malicious requests that are slow to...

This Week in Spring - May 19th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring!, this one written from the back of a taxi racing to the local Frankfurt train station, where I'll take a train to Munich for the amazing Kotlin Conf 2026 edition, where I'll be part of the keynote and deliver a talk on the...

Expression injection in MilvusVectorStore doDelete allows data destruction

Spring AI's MilvusVectorStoredoDeleteList implementation is vulnerable to filter-expression injection via unsanitized document IDs...

ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users...

Directory Traversal with spring-cloud-config-server

Spring Cloud Config allows applications to server arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack...

Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects...

This Week in Spring - May 5th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 5th, 2026, and I'm in Mainz, Germany, for the legendary JAX conference! It's been infinitely far too long since I've been at this amazing show, and I'm oh-so happy to be back here! Tonight, after my two talks here, I...

Ronald Dehuysser, founder of JobRunr, on their ambitious new JavaClaw-like agent runtime

Hi Spring fans! In this installment, I talk to my friend and JobRunr founder Ronald Dehuysser about the latest and greatest, and their new "JavaClaw" project!...

Random value property source uses a weak PRNG unsuitable for secrets

Values produced by $random.value are not suitable for use as secrets. $random.uuid is not affected. $random.int and $random.long should never be used for secrets as they are numeric values with a predictable range...