Home

Description

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

PUBLISHED Reserved 2026-04-16 | Published 2026-06-09 | Updated 2026-06-09 | Assigner vmware




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-284: Improper Access Control

Product status

Default status
unaffected

1.5.0 (custom) before 1.5.7
affected

2.3.0 (custom) before 2.3.5
affected

2.4.0 (custom) before 2.4.2
affected

2.5.0 (custom) before 2.5.3
affected

3.0.0 (custom) before 3.0.4
affected

References

spring.io/security/cve-2026-41006

cve.org (CVE-2026-41006)

nvd.nist.gov (CVE-2026-41006)

Download JSON