{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41856", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-22T06:22:10.081Z", "datePublished": "2026-06-11T05:05:00.491Z", "dateUpdated": "2026-06-11T15:16:55.976Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-11T05:05:00.491Z"}, "title": "Spring GraphQL Annotation Detection Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Spring Security authorization annotations can be ignored at runtime for @Controller classes within type hierarchies, allowing unauthorized access to protected GraphQL data fetchers."}]}], "affected": [{"vendor": "Spring", "product": "Spring for GraphQL", "defaultStatus": "unaffected", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "custom"}, {"status": "affected", "version": "1.4.0", "lessThan": "1.4.6", "versionType": "custom"}, {"status": "affected", "version": "1.3.0", "lessThan": "1.3.9", "versionType": "custom"}, {"status": "affected", "version": "1.0.0", "lessThan": "1.0.7", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6."}]}], "references": [{"url": "https://spring.io/security/cve-2026-41856"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T15:16:49.624069Z", "id": "CVE-2026-41856", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T15:16:55.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-11T15:16:49.624069Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T15:16:52.674Z"}}], "cna": {"title": "Spring GraphQL Annotation Detection Vulnerability", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Spring Security authorization annotations can be ignored at runtime for @Controller classes within type hierarchies, allowing unauthorized access to protected GraphQL data fetchers."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring for GraphQL", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "custom"}, {"status": "affected", "version": "1.4.0", "lessThan": "1.4.6", "versionType": "custom"}, {"status": "affected", "version": "1.3.0", "lessThan": "1.3.9", "versionType": "custom"}, {"status": "affected", "version": "1.0.0", "lessThan": "1.0.7", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-41856"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.", "supportingMedia": [{"type": "text/html", "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-11T05:05:00.491Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41856", "state": "PUBLISHED", "dateUpdated": "2026-06-11T15:16:55.976Z", "dateReserved": "2026-04-22T06:22:10.081Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-11T05:05:00.491Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "8081FE74-21D1-4A99-BD7D-EC79761CC5FE", "versionEndExcluding": "1.0.7", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F58A3E0-F0B6-41B9-9257-D20CF2396F2B", "versionEndExcluding": "1.3.9", "versionStartIncluding": "1.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "122B3480-2A1A-4DBA-A0D2-766A49180264", "versionEndExcluding": "1.4.6", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA8ABB1C-2F5B-425C-AD86-0122B0151D33", "versionEndExcluding": "2.0.4", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6."}], "id": "CVE-2026-41856", "lastModified": "2026-06-12T14:14:06.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-11T07:16:28.513", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-41856"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.4.0,1.4.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0,1.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.0.7)"}}], "original": {"product": "Spring for GraphQL", "source": "cna", "vendor": "Spring"}, "product": "spring_for_graphql", "vendor": "spring"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.4.0,1.4.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0,1.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.0.7)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "Spring for GraphQL", "source": "cna", "vendor": "Spring"}, "product": "spring_for_graphql", "vendor": "vmware"}], "created": "2026-06-11T07:30:08.605541+00:00", "updated": "2026-06-11T10:40:09.903614+00:00", "vendors": ["spring", "spring$PRODUCT$spring_for_graphql", "vmware", "vmware$PRODUCT$spring_for_graphql"]}