Skip to main content

Spring HATEOAS CVE-2026-41006

| EUVD-2026-35345 HIGH
Improper Access Control (CWE-284)
2026-06-09 vmware GHSA-7fxc-486f-32q9
Authentication Bypass Java
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 06:01 EUVD
Analysis Generated
Jun 09, 2026 - 05:10 vuln.today

DescriptionNVD

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.

Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Articles & Coverage 1

News 9 New Java Vulnerabilities - 1 Critical, 8 High Severity Jun 10, 2026

AnalysisAI

Denial-of-service via improper access control in Spring HATEOAS affects versions 1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, and 3.0.0-3.0.3, where the internal PropertyUtils.createObjectFromProperties method performs reflection-based bean property binding while ignoring Jackson access-control annotations (@JsonIgnore, @JsonProperty access modes). Remote unauthenticated attackers sending crafted Collection+JSON or UBER media type payloads can bind to properties the developer explicitly marked as inbound-restricted, causing high-availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint accepting Collection+JSON or UBER
Delivery
Craft payload setting restricted bean properties
Exploit
Submit unauthenticated HTTP request
Execution
PropertyUtils binds via reflection ignoring Jackson annotations
Persist
Target bean enters invalid state
Impact
Service availability degraded
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must use Spring HATEOAS at an affected version AND have explicitly enabled the Collection+JSON or UBER media type modules (typically via @EnableHypermediaSupport(type = {HypermediaType.COLLECTION_JSON, HypermediaType.UBER})); the default HAL configuration is not on the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.5 score derives entirely from the availability dimension (C:N/I:N/A:H) with a network attack vector, low complexity, no privileges, and no user interaction, meaning a remote unauthenticated attacker can trigger the impact against any endpoint that accepts Collection+JSON or UBER payloads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing Spring application that accepts Collection+JSON or UBER hypermedia submissions (for example, a POST endpoint backing a hypermedia API client) and submits a crafted payload containing property names the developer annotated as non-writable via Jackson. Because PropertyUtils binds via reflection without honoring those annotations, the values are accepted into the target bean and the resulting state corruption or downstream processing exception causes service unavailability consistent with the A:H rating. …
Remediation Upstream fix available per vendor advisory; released patched versions are implied to be the next point releases above each affected branch (1.5.7, 2.3.5, 2.4.2, 2.5.3, 3.0.4) but those exact fix versions are not independently confirmed in the input data - consult https://spring.io/security/cve-2026-41006 for authoritative patched releases before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using Spring HATEOAS; compare deployed versions against affected ranges (1.5.0-1.5.6, 2.3.0-2.3.4, 2.4.0-2.4.1, 2.5.0-2.5.2, 3.0.0-3.0.3) to identify exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10771 MEDIUM POC
5.5 Jun 03

Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
CVE-2026-25860 MEDIUM POC
5.3 Jun 09

Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
CVE-2026-50076 CRITICAL
9.1 Jun 04

Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
CVE-2026-40128 CRITICAL
9.0 Jun 09

Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
CVE-2026-41855 HIGH
8.1 Jun 09

Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess

Share

CVE-2026-41006 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy