CVE-2026-41710 PUBLISHED

Cache Exhaustion in Stateful Retries leads to Denial of Service

Assigner: vmware
Reserved: 22.04.2026 Published: 09.06.2026 Updated: 09.06.2026

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail.

Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Retry
Versions	Default: unaffected affected from 2.0.0 to 2.0.13 (excl.) affected from 1.3.0 to 1.3.5 (excl.)

References

https://spring.io/security/cve-2026-41710

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

Impacts

An attacker can exhaust the stateful retry cache by crafting unique failing requests, permanently preventing further stateful retries and circuit breakers from functioning, resulting in denial of service.