CVE-2026-41699

Published Jun 11, 2026

Last updated 2 days ago

CVSS high 8.1

Overview

Description
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
Source
security@vmware.com
NVD status
Analyzed
Products
spring_for_graphql

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@vmware.com
CWE-502

Social media

Hype score
Not currently trending

  1. 🚨 HIGH: CVE-2026-41699 (CVSS 8.1) - Spring for GraphQL unsafe deserialization flaw enables RCE via malicious paginated queries. Affects v1.3.0-1.3.8, 1.4.0-1.4.5, 2.0.0-2.0.3. Patch immediately. #CVE #Vulnerability #PatchNow https://t.co/fENCadnTqP

    @DFIR_Lab

    12 Jun 2026

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨*CVE* CVE-2026-41699 Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request … https://t.co/x9J73oSkGP ----- Traducción: CVE-2026-41699 Las… https://t.co/utmtNg

    @infoflowcloud

    11 Jun 2026

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.CVE-2026-41856
  2. Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.CVE-2026-41700

References

Sources include official advisories and independent security research.