CVE-2026-41856
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can cause security annotations to be ignored at runtime if used for authorization decisions.
Risk Assessment
The risk involves potential bypass of authorization checks, which could allow unauthorized users to access protected data or operations in the GraphQL application.
Recommendation
It is recommended to immediately upgrade Spring for GraphQL to version 2.0.4 or later (for 2.0.x line), 1.4.6 (for 1.4.x), 1.3.9 (for 1.3.x), or 1.0.7 (for 1.0.x).
Original NVD description (English source)
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

