SB2026051172 - Multiple vulnerabilities in Spring Cloud Function

Description

This security bulletin contains information about 2 vulnerabilities.

1) Uncontrolled Recursion (CVE-ID: CVE-2026-40989)

The vulnerability allows an attacker with physical access to cause a denial of service.

The vulnerability exists due to improper control of recursion in the routing layer when handling self-composed functions. An attacker with physical access can trigger infinite recursion in request handling to cause a denial of service.

User interaction is required.

2) Resource exhaustion (CVE-ID: CVE-2026-40990)

The vulnerability allows an attacker with physical access to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the function registry when adding function definitions. An attacker with physical access can add an infinite number of functions to cause a denial of service.

User interaction is required.

Remediation

Install update from vendor's website.

References

• https://spring.io/security/cve-2026-40989
• https://spring.io/security/cve-2026-40990