Skip to main content

Spring Data REST EUVDEUVD-2026-35910

| CVE-2026-41837 MEDIUM
Improper Access Control (CWE-284)
2026-06-10 security@vmware.com GHSA-mwpv-rg79-863c
5.3
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (vmware) · only source for this CVE.

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:45 vuln.today

DescriptionCVE.org

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.

Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

AnalysisAI

Spring Data REST's Querydsl integration exposes arbitrary persistent entity property paths as request-parameter filter keys without first applying Jackson serialization customizations such as @JsonIgnore or @JsonView, allowing unauthenticated remote attackers to probe and extract values of fields that developers intentionally suppressed from the API surface. All major release trains from 3.7.x through 5.0.x are affected across a broad Spring Boot installation base. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, though the no-auth, low-complexity network vector makes this straightforward to abuse against misconfigured deployments.

Technical ContextAI

Spring Data REST (artifact org.springframework.data:spring-data-rest-webmvc) automatically exposes JPA/Hibernate repositories as hypermedia-driven REST endpoints. Its optional Querydsl integration allows clients to filter collection resources by submitting request parameters that map directly to persistent entity property paths (e.g., GET /users?email=test@example.com). The root cause (CWE-284: Improper Access Control) is that the framework resolves these property paths against the underlying persistence model and passes them to Querydsl before consulting Jackson's serialization layer. Jackson customizations - @JsonIgnore, @JsonProperty renaming, @JsonView restrictions, or custom serializers - are widely used by developers to hide sensitive fields from REST responses (e.g., password hashes, internal identifiers, audit metadata). Because Querydsl receives the raw property path independently of the Jackson pipeline, these suppression annotations have no effect on which properties can be queried, allowing the persistence model to be probed through the filter interface even when the field is absent from any serialized response. No explicit CPE strings were included in the source data; affected artifacts span the five listed release trains.

RemediationAI

The primary fix is to upgrade to a patched version of Spring Data REST; exact fixed version numbers per release train were not included in the available data and must be confirmed at the vendor advisory https://spring.io/security/cve-2026-41837 - that page should be consulted before applying updates. As an immediate compensating control, the Querydsl integration can be disabled entirely by removing the Querydsl dependency from the application classpath or by restructuring exposed repositories to not implement QuerydslPredicateExecutor, which eliminates the vulnerable filter pathway at the cost of losing server-side Querydsl filtering functionality. Alternatively, a servlet filter or Spring HandlerInterceptor can be introduced to maintain an allowlist of permitted filter parameter names, rejecting any request parameter that does not correspond to a field explicitly included in the public projection or DTO - this preserves filtering capability while closing the property-path enumeration surface. Regardless of patching status, developers should treat Jackson annotation-based field suppression as a presentation concern rather than a security boundary; service-layer or method-level authorization (e.g., Spring Security @PreFilter, row-level security) provides defense-in-depth that is not bypassed by this class of vulnerability.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-35910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy