CVE Catalog

CVE-2026-41699

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

35th percentile - higher than 35% of all known CVEs

Summary

Spring for GraphQL is vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes.

Risk Assessment

The risk for the organization includes potential Remote Code Execution by an attacker, which could lead to server compromise, data theft, or service disruption.

Recommendation

It is recommended to immediately upgrade Spring for GraphQL to version 2.0.4, 1.4.6, or 1.3.9, which contain a fix for the unsafe deserialization vulnerability.

Original NVD description (English source)

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS