CVE-2026-41856

216.73.216.6

· Published 11/06/2026 09:16 · Modified 12/06/2026 14:14 · Author: The MITRE Corporation

Labels: CVE-2026-41856 2026-06-11 CVE-2026-41856 CWE-284 [email protected]

Essential information

Published: 11/06/2026 09:16
Modified: 12/06/2026 14:14
Author: The MITRE Corporation
Creator: The MITRE Corporation
CVSS: 7.5 HIGH (v3.1)
CISA KEV: No
CWE: CWE-284
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
vmware / spring for graphql	`cpe:2.3:a:vmware:spring_for_graphql::::::::`
vmware / spring for graphql	`cpe:2.3:a:vmware:spring_for_graphql::::::::`
vmware / spring for graphql	`cpe:2.3:a:vmware:spring_for_graphql::::::::`
vmware / spring for graphql	`cpe:2.3:a:vmware:spring_for_graphql::::::::`