CVE-2026-41699 PUBLISHED

Unsafe Deserialization in Spring GraphQL

Assigner: vmware
Reserved: 22.04.2026 Published: 11.06.2026 Updated: 11.06.2026

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring for GraphQL
Versions	Default: unaffected affected from 2.0.0 to 2.0.4 (excl.) affected from 1.4.0 to 1.4.6 (excl.) affected from 1.3.0 to 1.3.9 (excl.)

References

https://spring.io/security/cve-2026-41699

Problem Types

CWE-502: Deserialization of Untrusted Data CWE

Impacts

An attacker can craft a malicious paginated GraphQL query that leads to Remote Code Execution when the application classpath contains specific gadget classes.