Skip to main content

Spring Cloud Sleuth CVE-2026-41708

| EUVD-2026-36797 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-15 vmware GHSA-26m2-9g2q-v45q
Java Denial Of Service Spring Cloud Sleuth
7.5
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable DoS via crafted calls to default-enabled TX instrumentation; no auth or UI required, availability-only impact, no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 15, 2026 - 21:01 EUVD
Analysis Generated
Jun 15, 2026 - 19:56 vuln.today

DescriptionCVE.org

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is not disabled.

Affected versions: Spring Cloud Sleuth 3.1.0 through 3.1.13.

Articles & Coverage 2

News 3 New Java Vulnerabilities - 3 High Severity Jun 16, 2026 News 3 New Java Vulnerabilities - 3 High Severity, No Public Exploits Jun 15, 2026

AnalysisAI

Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring Boot service with Sleuth 3.1.x
Delivery
Send crafted requests to transactional endpoint
Exploit
Trigger resource exhaustion in TX instrumentation
Execution
Exhaust JVM CPU and memory
Impact
Service stops responding to legitimate traffic
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must (1) include the org.springframework.cloud:spring-cloud-sleuth-instrumentation dependency at versions 3.1.0-3.1.13, (2) have Spring TX instrumentation enabled - this is the default, so the precondition is satisfied unless an operator has explicitly set spring.sleuth.tx.enabled=false, and (3) expose a network-reachable endpoint whose request handling flows through transactional code (any @Transactional service called from a controller). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 reflects a clean network-reachable DoS (AV:N/AC:L/PR:N/UI:N) with high availability impact only, consistent with the CWE-400 resource-exhaustion class. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a high volume of specially crafted requests to any public endpoint of a Spring Boot service that uses spring-cloud-sleuth-instrumentation with default (enabled) Spring TX instrumentation; each request triggers the vulnerable instrumentation path, consuming CPU, memory, or span buffer resources until the JVM becomes unresponsive and the service drops legitimate traffic. No public exploit identified at time of analysis, so the scenario assumes the attacker has reverse-engineered the crafted-call pattern from the patch diff.
Remediation Upstream fix available per the Spring advisory at https://spring.io/security/cve-2026-41708; an exact fixed version was not provided in the input data, so consult the advisory for the patched 3.1.x release or the recommended migration target. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all deployments running Spring Cloud Sleuth 3.1.0-3.1.13 with spring-cloud-sleuth-instrumentation TX instrumentation active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-41708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy