CVE-2026-41728
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
A vulnerability in Spring Data REST's JSON Patch (application/json-patch+json) implementation fails to apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. This allows an attacker to bypass access controls and modify resources they should not have write access to.
Risk Assessment
The risk is unauthorized data modification by an attacker, potentially leading to privilege escalation or data integrity compromise in applications using Spring Data REST.
Recommendation
Immediately upgrade Spring Data REST to version 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6, depending on your release line, which contain the fix for this vulnerability.
Original NVD description (English source)
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

