What is the CVSS score of EUVD-2026-36214?

EUVD-2026-36214 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Spring for GraphQL are affected by EUVD-2026-36214?

Spring for GraphQL versions 1.0 through 2.0 contain an authorization bypass vulnerability allowing unauthenticated remote attackers to invoke protected controller methods through inherited security…. A patch is available.

How to fix or mitigate EUVD-2026-36214?

24 hours: Identify all applications using Spring for GraphQL 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, or 2.0.0-2.0.3; audit GraphQL endpoints for inherited @Controller and security annotations. 7 days: Implement network-level access controls restricting GraphQL endpoint exposure; deploy WAF rules to enforce authentication validation; add application-level authorization checks independent of Spring annotation inheritance. 30 days: Monitor vendor advisories for patch release; plan upgrade strategy or evaluate architectural alternatives if patch timeline extends beyond 90 days.

Spring for GraphQL EUVD-2026-36214

| CVE-2026-41856 HIGH

Improper Access Control (CWE-284)

2026-06-11 vmware

GHSA-phxq-526m-79px

Authentication Bypass Java Spring For Graphql

7.5

CVSS 3.1 · Vendor: vmware

Severity by source

Vendor (vmware) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

vuln.today AI

7.5 HIGH

Network-reachable GraphQL endpoint, no auth or user interaction needed, bypass leaks data the fetcher returns (C:H) without altering state (I:N/A:N); scope unchanged within the app.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 11, 2026 - 08:01 EUVD

Analysis Generated

Jun 11, 2026 - 07:02 vuln.today

DescriptionCVE.org

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Authorization bypass in Spring for GraphQL (versions 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3) allows remote attackers to invoke @Controller data fetcher methods whose security annotations are declared on parent classes or interfaces, because the framework's annotation detection does not consistently resolve annotations across type hierarchies. The flaw is rated CVSS 7.5 (confidentiality-only impact) and no public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS vector makes any affected GraphQL endpoint a meaningful exposure.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Enumerate GraphQL schema via introspection

Delivery

Identify field backed by inherited-annotation controller

Exploit

Send unauthenticated GraphQL query to endpoint

Execution

Annotation lookup misses inherited @PreAuthorize

Persist

Data fetcher executes without authorization check

Impact

Exfiltrate restricted field data

Access

Enumerate GraphQL schema via introspection

Delivery

Identify field backed by inherited-annotation controller

Exploit

Send unauthenticated GraphQL query to endpoint

Execution

Annotation lookup misses inherited @PreAuthorize

Persist

Data fetcher executes without authorization check

Impact

Exfiltrate restricted field data

Vulnerability AssessmentAI

Exploitation	Exploitation requires a Spring for GraphQL application on an affected version that (a) exposes @Controller-based data fetchers (@SchemaMapping, @QueryMapping, @MutationMapping, @SubscriptionMapping) and (b) relies on Spring Security method-level annotations such as @PreAuthorize, @PostAuthorize, @Secured, or custom meta-annotations declared on a superclass, interface, or otherwise inherited method rather than on the concrete overriding method. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N describes a network-reachable, unauthenticated, low-complexity confidentiality breach with no integrity or availability impact, which is consistent with a GraphQL query exposing data that should have been gated by a security annotation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends an ordinary GraphQL query over HTTP to a public Spring GraphQL endpoint, targeting a field whose @Controller data fetcher inherits a @PreAuthorize check from a base class; because the framework fails to discover the inherited annotation, Spring Security does not intervene and the resolver returns data that should have been restricted to authorized users. No exploit code is publicly known, but the attack reduces to crafting a normal query against a known schema, so weaponization is trivial once a vulnerable field is identified.
Remediation	Upgrade the org.springframework.graphql:spring-graphql dependency to a fixed maintenance release on your branch as listed in the Spring advisory at https://spring.io/security/cve-2026-41856 (2.0.x users should move past 2.0.3, 1.4.x past 1.4.5, 1.3.x past 1.3.8, and 1.0.x past 1.0.6); exact fix versions should be taken from that advisory rather than guessed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all applications using Spring for GraphQL 1.0.0-1.0.6, 1.3.0-1.3.8, 1.4.0-1.4.5, or 2.0.0-2.0.3; audit GraphQL endpoints for inherited @Controller and security annotations. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

EUVD-2026-36214 vulnerability details – vuln.today

Back

Spring for GraphQL EUVD-2026-36214

Severity by source

CVSS VectorVendor: vmware

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code