CVE-2026-41856

HIGH

Spring GraphQL Annotation Detection Vulnerability

Title source: cna

Description

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-41856

Scores

CVSS v3 7.5

EPSS 0.0039

EPSS Percentile 30.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (5)

Spring/Spring for GraphQL 1.0.0 - 1.0.7

Spring/Spring for GraphQL 1.3.0 - 1.3.9

Spring/Spring for GraphQL 1.4.0 - 1.4.6

Spring/Spring for GraphQL 2.0.0 - 2.0.4

vmware/spring_for_graphql 1.0.0 - 1.0.7

Published Jun 11, 2026

Tracked Since Jun 11, 2026