CVE Catalog

CVE-2026-41728

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile - higher than 22% of all known CVEs

Summary

A vulnerability in Spring Data REST's JSON Patch (application/json-patch+json) implementation fails to apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. This allows an attacker to bypass access controls and modify resources they should not have write access to.

Risk Assessment

The risk is unauthorized data modification by an attacker, potentially leading to privilege escalation or data integrity compromise in applications using Spring Data REST.

Recommendation

Immediately upgrade Spring Data REST to version 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6, depending on your release line, which contain the fix for this vulnerability.

Original NVD description (English source)

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS