CVE-2026-41856

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-41856	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_for_graphql::::::::
	cpe:2.3:a:vmware:spring_for_graphql::::::::
	cpe:2.3:a:vmware:spring_for_graphql::::::::
	cpe:2.3:a:vmware:spring_for_graphql::::::::

History

12 Jun 2026, 14:14

Type	Values Removed	Values Added
First Time		Vmware spring For Graphql Vmware
CPE		cpe:2.3:a:vmware:spring_for_graphql::::::::
References	~~() https://spring.io/security/cve-2026-41856 -~~	() https://spring.io/security/cve-2026-41856 - Vendor Advisory

11 Jun 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-11 07:16

Updated : 2026-06-12 14:14

NVD link : CVE-2026-41856

Mitre link : CVE-2026-41856

CVE.ORG link : CVE-2026-41856

JSON object : View

Products Affected

vmware

spring_for_graphql

CWE

CWE-284

Improper Access Control

{"id": "CVE-2026-41856", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@vmware.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-06-11T07:16:28.513", "references": [{"url": "https://spring.io/security/cve-2026-41856", "tags": ["Vendor Advisory"], "source": "security@vmware.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@vmware.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6."}], "lastModified": "2026-06-12T14:14:06.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8081FE74-21D1-4A99-BD7D-EC79761CC5FE", "versionEndExcluding": "1.0.7", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F58A3E0-F0B6-41B9-9257-D20CF2396F2B", "versionEndExcluding": "1.3.9", "versionStartIncluding": "1.3.0"}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "122B3480-2A1A-4DBA-A0D2-766A49180264", "versionEndExcluding": "1.4.6", "versionStartIncluding": "1.4.0"}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA8ABB1C-2F5B-425C-AD86-0122B0151D33", "versionEndExcluding": "2.0.4", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@vmware.com"}