- Description
- The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
- Source
- security@vmware.com
- NVD status
- Analyzed
- Products
- spring_for_graphql
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security@vmware.com
- CWE-284
- Hype score
- Not currently trending
🚨 HIGH Severity CVE-2026-41856 (CVSS 7.5) Spring GraphQL annotation detection flaw allows security annotations to be ignored, potentially bypassing authorization. Affected: Spring GraphQL 1.0.0-2.0.3 Patch immediately. #CVE #Vulnerability #PatchNow https://t.co/j2oDAa9uF1
@DFIR_Lab
12 Jun 2026
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨*CVE* CVE-2026-41856 The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be … https://t.co/rFLaERNHFW ----- Traducción: CVE-2026-41856 El … https://t.co/utmtNg
@infoflowcloud
11 Jun 2026
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8081FE74-21D1-4A99-BD7D-EC79761CC5FE",
"versionEndExcluding": "1.0.7",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F58A3E0-F0B6-41B9-9257-D20CF2396F2B",
"versionEndExcluding": "1.3.9",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "122B3480-2A1A-4DBA-A0D2-766A49180264",
"versionEndExcluding": "1.4.6",
"versionStartIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BA8ABB1C-2F5B-425C-AD86-0122B0151D33",
"versionEndExcluding": "2.0.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]