Home

Description

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-09 | Updated 2026-06-10 | Assigner vmware




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

Default status
unaffected

3.7.0 (custom) before 3.7.20
affected

4.3.0 (custom) before 4.3.17
affected

4.4.0 (custom) before 4.4.15
affected

4.5.0 (custom) before 4.5.12
affected

5.0.0 (custom) before 5.0.6
affected

References

spring.io/security/cve-2026-41837

cve.org (CVE-2026-41837)

nvd.nist.gov (CVE-2026-41837)

Download JSON