CVE-2026-41856

Summary

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Affected Software

VendorProductVersion RangeStatus
SpringSpring for GraphQL2.0.0 < 2.0.3.1affected
SpringSpring for GraphQL1.4.0 < 1.4.5.1affected
SpringSpring for GraphQL1.3.0 < 1.3.9affected
SpringSpring for GraphQL1.0.0 < 1.0.7affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References