Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (vmware) · only source for this CVE.
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.
Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
AnalysisAI
Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.
Technical ContextAI
Spring Data REST (artifact org.springframework.data:spring-data-rest-webmvc) automatically exposes JPA/Hibernate repositories as hypermedia-driven REST endpoints. Its optional Querydsl integration allows clients to filter collection resources by submitting request parameters that map directly to persistent entity property paths (e.g., GET /users?email=test@example.com). The root cause (CWE-284: Improper Access Control) is that the framework resolves these property paths against the underlying persistence model and passes them to Querydsl before consulting Jackson's serialization layer. Jackson customizations - @JsonIgnore, @JsonProperty renaming, @JsonView restrictions, or custom serializers - are widely used by developers to hide sensitive fields from REST responses (e.g., password hashes, internal identifiers, audit metadata). Because Querydsl receives the raw property path independently of the Jackson pipeline, these suppression annotations have no effect on which properties can be queried, allowing the persistence model to be probed through the filter interface even when the field is absent from any serialized response. No explicit CPE strings were included in the source data; affected artifacts span the five listed release trains.
RemediationAI
The primary fix is to upgrade to a patched version of Spring Data REST; exact fixed version numbers per release train were not included in the available data and must be confirmed at the vendor advisory https://spring.io/security/cve-2026-41837 - that page should be consulted before applying updates. As an immediate compensating control, the Querydsl integration can be disabled entirely by removing the Querydsl dependency from the application classpath or by restructuring exposed repositories to not implement QuerydslPredicateExecutor, which eliminates the vulnerable filter pathway at the cost of losing server-side Querydsl filtering functionality. Alternatively, a servlet filter or Spring HandlerInterceptor can be introduced to maintain an allowlist of permitted filter parameter names, rejecting any request parameter that does not correspond to a field explicitly included in the public projection or DTO - this preserves filtering capability while closing the property-path enumeration surface. Regardless of patching status, developers should treat Jackson annotation-based field suppression as a presentation concern rather than a security boundary; service-layer or method-level authorization (e.g., Spring Security @PreFilter, row-level security) provides defense-in-depth that is not bypassed by this class of vulnerability.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35910
GHSA-mwpv-rg79-863c