CVE-2026-41699
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk35th percentile - higher than 35% of all known CVEs
Summary
Spring for GraphQL is vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes.
Risk Assessment
The risk for the organization includes potential Remote Code Execution by an attacker, which could lead to server compromise, data theft, or service disruption.
Recommendation
It is recommended to immediately upgrade Spring for GraphQL to version 2.0.4, 1.4.6, or 1.3.9, which contain a fix for the unsafe deserialization vulnerability.
Original NVD description (English source)
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

