CVE Catalog

CVE-2026-41006

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile - higher than 19% of all known CVEs

Summary

The vulnerability in Spring HATEOAS lies in the internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, which performs bean property binding via reflection without consulting Jackson access-control annotations. An attacker can exploit this flaw to gain unauthorized access to object fields that should be protected.

Risk Assessment

The risk involves bypassing access control mechanisms and reading or modifying sensitive data in the application, potentially leading to confidentiality and integrity breaches.

Recommendation

It is recommended to immediately update Spring HATEOAS to version 1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, depending on the branch used, and apply security patches provided by the vendor.

Original NVD description (English source)

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS