CVE Catalog

CVE-2026-41856

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can cause security annotations to be ignored at runtime if used for authorization decisions.

Risk Assessment

The risk involves potential bypass of authorization checks, which could allow unauthorized users to access protected data or operations in the GraphQL application.

Recommendation

It is recommended to immediately upgrade Spring for GraphQL to version 2.0.4 or later (for 2.0.x line), 1.4.6 (for 1.4.x), 1.3.9 (for 1.3.x), or 1.0.7 (for 1.0.x).

Original NVD description (English source)

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS