CVE-2026-40989

Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.5 / Impact : 4.7

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://spring.io/security/cve-2026-40989

Configurations

No configuration.

History

01 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-01 19:16

Updated : 2026-06-02 14:01

NVD link : CVE-2026-40989

Mitre link : CVE-2026-40989

CVE.ORG link : CVE-2026-40989

JSON object : View

Products Affected

No product.

CWE

CWE-674

Uncontrolled Recursion

5.7 /10