CVE-2026-41856 PUBLISHED

Spring GraphQL Annotation Detection Vulnerability

Assigner: vmware
Reserved: 22.04.2026 Published: 11.06.2026 Updated: 11.06.2026

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring for GraphQL
Versions	Default: unaffected affected from 2.0.0 to 2.0.4 (excl.) affected from 1.4.0 to 1.4.6 (excl.) affected from 1.3.0 to 1.3.9 (excl.) affected from 1.0.0 to 1.0.7 (excl.)

References

https://spring.io/security/cve-2026-41856

Problem Types

CWE-284: Improper Access Control CWE

Impacts

Spring Security authorization annotations can be ignored at runtime for @Controller classes within type hierarchies, allowing unauthorized access to protected GraphQL data fetchers.