CVE-2026-41856

CVE Database · CVE-2026-41856

CVE-2026-41856

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

0.39%

Published

Jun 11, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-284

Affected Products (4)

vmware · spring_for_graphql (up to 1.0.7)vulnerable

vmware · spring_for_graphql (up to 1.3.9)vulnerable

vmware · spring_for_graphql (up to 1.4.6)vulnerable

vmware · spring_for_graphql (up to 2.0.4)vulnerable

References (1)

https://spring.io/security/cve-2026-41856

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs