Skip to main content

Spring Data REST CVE-2026-41728

| EUVDEUVD-2026-35905 HIGH
Improper Access Control (CWE-284)
2026-06-10 security@vmware.com GHSA-cv39-x4c6-hhp2
7.5
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from Vendor (vmware) · only source for this CVE.

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:34 vuln.today

DescriptionCVE.org

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

AnalysisAI

Authorization bypass in Spring Data REST's JSON Patch handler allows remote unauthenticated attackers to modify protected entity fields by routing writes through intermediate path segments of a multi-segment JSON Pointer. The flaw affects Spring Data REST 3.7.x through 5.0.5 and carries a CVSS 7.5 (high) integrity-only impact; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Spring Data REST automatically exposes Spring Data repositories as hypermedia HTTP endpoints and supports partial updates via RFC 6902 JSON Patch (application/json-patch+json). The framework provides a write-access filter that enforces per-property access rules (typically via @JsonProperty(access = ...) or @RestResource(exported = false)) when patch operations target entity fields. The root cause is CWE-284 (Improper Access Control): when a JSON Pointer such as /parent/child/field traverses multiple segments, the filter is only evaluated against the final segment rather than each intermediate node along the path, allowing writes to be funneled through traversal segments that bypass the access policy. This is a logic flaw in the patch-resolution code path rather than a parser or deserialization defect.

RemediationAI

Upgrade Spring Data REST to a fixed release on your branch - based on the affected ranges, the first fixed versions are 3.7.20, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 - and consult https://spring.io/security/cve-2026-41728 for the vendor's confirmed patched versions before pinning. As compensating controls until the upgrade ships, do not rely on JSON Patch field-level write filtering alone: temporarily reject the application/json-patch+json content type at the controller or gateway layer (clients can fall back to PUT/PATCH with application/json, at the cost of losing partial-update semantics), set @RepositoryRestResource(exported = false) on repositories that expose sensitive entities so they are not reachable via Spring Data REST at all, or place a Spring Security method-level rule on the repository save/update methods so authorization is enforced independently of the patch filter. Each workaround narrows the attack surface but breaks legitimate JSON Patch clients or REST-exposed repository functionality, so prefer the upgrade.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-41728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy