Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (vmware) · only source for this CVE.
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.
Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
AnalysisAI
Authorization bypass in Spring Data REST's JSON Patch handler allows remote unauthenticated attackers to modify protected entity fields by routing writes through intermediate path segments of a multi-segment JSON Pointer. The flaw affects Spring Data REST 3.7.x through 5.0.5 and carries a CVSS 7.5 (high) integrity-only impact; no public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
Spring Data REST automatically exposes Spring Data repositories as hypermedia HTTP endpoints and supports partial updates via RFC 6902 JSON Patch (application/json-patch+json). The framework provides a write-access filter that enforces per-property access rules (typically via @JsonProperty(access = ...) or @RestResource(exported = false)) when patch operations target entity fields. The root cause is CWE-284 (Improper Access Control): when a JSON Pointer such as /parent/child/field traverses multiple segments, the filter is only evaluated against the final segment rather than each intermediate node along the path, allowing writes to be funneled through traversal segments that bypass the access policy. This is a logic flaw in the patch-resolution code path rather than a parser or deserialization defect.
RemediationAI
Upgrade Spring Data REST to a fixed release on your branch - based on the affected ranges, the first fixed versions are 3.7.20, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 - and consult https://spring.io/security/cve-2026-41728 for the vendor's confirmed patched versions before pinning. As compensating controls until the upgrade ships, do not rely on JSON Patch field-level write filtering alone: temporarily reject the application/json-patch+json content type at the controller or gateway layer (clients can fall back to PUT/PATCH with application/json, at the cost of losing partial-update semantics), set @RepositoryRestResource(exported = false) on repositories that expose sensitive entities so they are not reachable via Spring Data REST at all, or place a Spring Security method-level rule on the repository save/update methods so authorization is enforced independently of the patch filter. Each workaround narrows the attack surface but breaks legitimate JSON Patch clients or REST-exposed repository functionality, so prefer the upgrade.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35905
GHSA-cv39-x4c6-hhp2