Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.

Affected versions:
Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Basic Information

ID CVE-2026-41006

Source vmware

Published Jun 9, 2026 at 03:57

Affected Product

Vendor Spring

Product Spring HATEOAS

Version 1.5.0

Affected Versions Spring Spring HATEOAS 1.5.0
Spring Spring HATEOAS 2.3.0
Spring Spring HATEOAS 2.4.0
Spring Spring HATEOAS 2.5.0
Spring Spring HATEOAS 3.0.0

CWE Classification

CWE-284

References

spring.io /security/cve-2026-41006

{
    "lastseen": "",
    "description": "Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.\n\nAffected versions:\nSpring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.",
    "published": "2026-06-09T03:57:39.106Z",
    "modified": "2026-06-09T03:57:39.106Z",
    "type": "cve",
    "title": "Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41006",
    "id": "CVE-2026-41006",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring HATEOAS 1.5.0\nSpring Spring HATEOAS 2.3.0\nSpring Spring HATEOAS 2.4.0\nSpring Spring HATEOAS 2.5.0\nSpring Spring HATEOAS 3.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring HATEOAS",
    "version": "1.5.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration_CVE-2026-41006