CVE-2026-44242

Name of the Vulnerable Software and Affected Versions Micronaut Framework versions prior to 4.10.22

Description In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can cause heap memory exhaustion. This occurs because the bundleCache is unbounded and keyed by a combination of Locale and baseName, where the locale is derived from the HTTP Accept-Language header. By sending a large number of requests with unique Accept-Language values, an attacker can force the application to create an excessive number of entries in the bundleCache, leading to memory depletion.

Recommendations Update to version 4.10.22.