CVE-2026-41856

Source
https://cve.org/CVERecord?id=CVE-2026-41856
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41856.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41856
Published
2026-06-11T05:05:00.491Z
Modified
2026-07-08T08:13:14.970671735Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Spring GraphQL Annotation Detection Vulnerability
Details

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "2.0.0"
                },
                {
                    "fixed": "2.0.3.1"
                },
                {
                    "introduced": "1.4.0"
                },
                {
                    "fixed": "1.4.5.1"
                },
                {
                    "introduced": "1.3.0"
                },
                {
                    "fixed": "1.3.9"
                },
                {
                    "introduced": "1.0.0"
                },
                {
                    "fixed": "1.0.7"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "2.0.0"
                },
                {
                    "fixed": "2.0.3"
                },
                {
                    "introduced": "1.4.0"
                },
                {
                    "fixed": "1.4.5"
                },
                {
                    "introduced": "1.3.0"
                },
                {
                    "fixed": "1.3.8"
                },
                {
                    "introduced": "1.0.0"
                },
                {
                    "fixed": "1.0.6"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41856.json",
    "cna_assigner": "vmware",
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

Git / github.com/spring-projects/spring-graphql

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-graphql
Events
Database specific
{
    "source": "DESCRIPTION",
    "extracted_events": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.4.5"
        },
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.6"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41856.json"