Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.

Affected versions:
Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Basic Information

ID CVE-2026-41837

Source vmware

Published Jun 9, 2026 at 23:49

Affected Product

Vendor Spring

Product Spring Data REST

Version 3.7.0

Affected Versions Spring Spring Data REST 3.7.0
Spring Spring Data REST 4.3.0
Spring Spring Data REST 4.4.0
Spring Spring Data REST 4.5.0
Spring Spring Data REST 5.0.0

CWE Classification

CWE-284

References

spring.io /security/cve-2026-41837

{
    "lastseen": "",
    "description": "Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.",
    "published": "2026-06-09T23:49:49.848Z",
    "modified": "2026-06-09T23:49:49.848Z",
    "type": "cve",
    "title": "Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41837",
    "id": "CVE-2026-41837",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring Data REST 3.7.0\nSpring Spring Data REST 4.3.0\nSpring Spring Data REST 4.4.0\nSpring Spring Data REST 4.5.0\nSpring Spring Data REST 5.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring Data REST",
    "version": "3.7.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys_CVE-2026-41837