Spring GraphQL Annotation Detection Vulnerability_CVE-2026-41856

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Basic Information

ID CVE-2026-41856

Source vmware

Published Jun 11, 2026 at 05:05

Affected Product

Vendor Spring

Product Spring for GraphQL

Version 2.0.0

Affected Versions Spring Spring for GraphQL 2.0.0
Spring Spring for GraphQL 1.4.0
Spring Spring for GraphQL 1.3.0
Spring Spring for GraphQL 1.0.0

CWE Classification

CWE-284

References

spring.io /security/cve-2026-41856

{
    "lastseen": "",
    "description": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.",
    "published": "2026-06-11T05:05:00.491Z",
    "modified": "2026-06-11T05:05:00.491Z",
    "type": "cve",
    "title": "Spring GraphQL Annotation Detection Vulnerability",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2026-41856",
    "id": "CVE-2026-41856",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Spring Spring for GraphQL 2.0.0\nSpring Spring for GraphQL 1.4.0\nSpring Spring for GraphQL 1.3.0\nSpring Spring for GraphQL 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Spring for GraphQL",
    "version": "2.0.0",
    "vendor": "Spring",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}