CVE-2026-41710 MEDIUM

CVE-2026-41710: Cache Exhaustion in Stateful Retries leads to Denial of Service

Vendor Spring
Product Spring Retry
Weakness CWE-770 · Uncontrolled resource consumption
Published June 9, 2026
Last update June 9, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated