CVE-2026-41856
7.5 HIGHThe Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within t...
Published: 2026-06-11 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-284
Affected products
| Vendor | Product |
|---|---|
| vmware | spring_for_graphql |
Description
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-41856
- [Vendor advisory]https://spring.io/security/cve-2026-41856
Related CVEs
Same vendor
- CVE-2026-41700 — Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking (8.1 HIGH)
- CVE-2026-41699 — Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
- CVE-2026-41694 — Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a val... (3.7 LOW)
- CVE-2026-41003 — An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Secu... (7.6 HIGH)
- CVE-2026-40988 — An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a ... (7.5 HIGH)
Same CWE
- CVE-2026-53520 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)
- CVE-2026-44783 — Discourse is an open-source discussion platform (5.4 MEDIUM)
- CVE-2026-47182 — Frappe is a full-stack web application framework
- CVE-2026-44976 — Frappe is a full-stack web application framework
- CVE-2026-44208 — Frappe is a full-stack web application framework