Uncontrolled Recursion Vulnerability in Apache Commons Configuration Software
CVE-2026-45205

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Commons Configuration
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-45205?

An uncontrolled recursion vulnerability exists in Apache Commons Configuration when processing untrusted YAML configuration files that may contain cycles. This flaw can lead to a StackOverflowError, effectively crashing the application and disrupting service. Users are strongly advised to upgrade to version 2.15.0 or later to mitigate this vulnerability and ensure the integrity of their systems.

Affected Version(s)

Apache Commons Configuration 2.2 < 2.15.0

References

https://github.com/apache/commons-configuration/pull/634

patch

https://lists.apache.org/thread/q3q3j10ohcqhs6o0rg1v7kz6k...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 11, 2026

Credit

Erichen, Institute of Computing Technology, Chinese Academy of Sciences

CVE-2026-45205 Data

JSON