Spring Data REST JSON Patch bypasses Jackson read-only property protection...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected versions:
Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Basic Information

ID CVE-2026-41728

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring Data REST

Version 3.7.0

Affected Versions Spring Spring Data REST 3.7.0
Spring Spring Data REST 4.3.0
Spring Spring Data REST 4.4.0
Spring Spring Data REST 4.5.0
Spring Spring Data REST 5.0.0

CWE Classification

CWE-284

References

spring.io /security/cve-2026-41728

{
    "lastseen": "",
    "description": "Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.",
    "published": "2026-06-09T23:49:13.279Z",
    "modified": "2026-06-09T23:49:13.279Z",
    "type": "cve",
    "title": "Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41728",
    "id": "CVE-2026-41728",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data REST 3.7.0\nSpring Spring Data REST 4.3.0\nSpring Spring Data REST 4.4.0\nSpring Spring Data REST 4.5.0\nSpring Spring Data REST 5.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data REST",
    "version": "3.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections_CVE-2026-41728