CVE-2026-40989 PUBLISHED

Self Routing guard bypassed via function composition

Assigner: vmware
Reserved: 16.04.2026 Published: 01.06.2026 Updated: 01.06.2026

Under infinite recursion in the routing layer, request-handling can cause OOM error.

Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
CVSS Score: 5.7

Attack Vector	Physical	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud Function
Versions	Default: unaffected affected from 3.2.0 to 3.2.16 (excl.) affected from 4.1.0 to 4.1.10 (excl.) affected from 4.2.0 to 4.2.6 (excl.) affected from 4.3.0 to 4.3.3 (excl.) affected from 5.0.0 to 5.0.2 (excl.)

References

https://spring.io/security/cve-2026-40989

Problem Types

CWE-674 Uncontrolled Recursion CWE

Impacts

Under infinite recursion in the routing layer, request-handling can cause an OOM error, leading to denial of service.