CVE-2026-41856
Last modified
CVE-2026-41856 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. EPSS estimates a 0.35% chance of exploitation in the next 30 days.
Description
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring For Graphql | >= 1.0.0, < 1.0.7 |
| Vmware | Spring For Graphql | >= 1.3.0, < 1.3.9 |
| Vmware | Spring For Graphql | >= 1.4.0, < 1.4.6 |
| Vmware | Spring For Graphql | >= 2.0.0, < 2.0.4 |
References
- https://spring.io/security/cve-2026-41856Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41856?
How severe is CVE-2026-41856?
How do I fix CVE-2026-41856?
Are you affected by CVE-2026-41856?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST