Skip to main content

Spring for GraphQL CVE-2026-41699

| EUVD-2026-36212 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-11 vmware GHSA-px92-q6rc-6mwv
Deserialization Java RCE Spring For Graphql
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (vmware) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N), but exploitation requires a Connection field exposure plus suitable gadget classes on the classpath, which justifies AC:H; full RCE yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 12, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 12, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 12, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jun 12, 2026 - 19:37 NVD
HIGH CRITICAL
CVSS changed
Jun 12, 2026 - 19:37 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:01 vuln.today

DescriptionNVD

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated attackers to trigger unsafe deserialization by sending crafted paginated GraphQL queries against Connection-type fields. Exploitation requires that the application expose a paginated (Connection) field and that the classpath contains gadget classes leveraged during deserialization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Discover public GraphQL endpoint
Delivery
Enumerate Connection-typed paginated fields
Exploit
Craft malicious pagination cursor with serialized gadget
Install
Submit GraphQL query over HTTP
C2
Trigger unsafe deserialization in framework
Execute
Gadget chain executes JVM code
Impact
Achieve RCE as application user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must expose at least one paginated GraphQL field of Relay Connection type through Spring for GraphQL on a vulnerable version (1.3.0-1.3.8, 1.4.0-1.4.5, or 2.0.0-2.0.3), and the JVM classpath must contain deserialization gadget classes that can be chained to reach code execution (otherwise the unsafe deserialization yields an error rather than RCE). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H produces a critical 9.8, reflecting unauthenticated network-reachable RCE potential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a publicly reachable Spring Boot service exposing a GraphQL endpoint with a Connection-typed field (for example, a `users(first: 10, after: ...)` query). They send a crafted GraphQL request whose pagination cursor encodes a malicious serialized object graph; when Spring for GraphQL deserializes it, a gadget chain present on the application classpath executes attacker-controlled code in the JVM process. …
Remediation Vendor-released patch: upgrade Spring for GraphQL to 1.3.9, 1.4.6, or 2.0.4 depending on your maintenance branch, as published in the Spring advisory at https://spring.io/security/cve-2026-41699 and corroborated by https://nvd.nist.gov/vuln/detail/CVE-2026-41699 and https://vuldb.com/vuln/370356. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications using Spring for GraphQL and determine which expose paginated Connection fields. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
CVE-2026-40998 HIGH
8.2 Jun 11

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath ev

Share

CVE-2026-41699 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy