Home

Description

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

PUBLISHED Reserved 2026-04-22 | Published 2026-06-11 | Updated 2026-06-11 | Assigner vmware




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

Default status
unaffected

2.0.0 (custom) before 2.0.4
affected

1.4.0 (custom) before 1.4.6
affected

1.3.0 (custom) before 1.3.9
affected

1.0.0 (custom) before 1.0.7
affected

References

spring.io/security/cve-2026-41856

cve.org (CVE-2026-41856)

nvd.nist.gov (CVE-2026-41856)

Download JSON