HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41006Published Modified CNA vmware

CVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
1.5.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Spring HATEOAS, a library used to add hypermedia links to Spring-based REST APIs. The flaw is reachable over the network without any authentication, making it exploitable by any client that can send HTTP requests to a service using the Collection+JSON or UBER media type deserializers. Successful exploitation crashes or exhausts the affected service, causing a complete loss of availability. Patched-image rebuilds at versions 1.5.7, 2.3.5, 2.4.2, 2.5.3, and 3.0.4 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41006 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring HATEOAS. Any image found to contain an affected version is flagged immediately in the pipeline scan results.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize findings according to each customer organization's risk thresholds. Routed findings are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at each of the fix versions (1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4, matched to the affected branch in the customer image) becomes available in HarborGuard the moment the fix is confirmed. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable deserializer is exposed over the network; an attacker must be able to send HTTP requests to the service to trigger the flaw.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; any unauthenticated client can send a crafted request.

  • Victim interactionNot required

    No user action or social-engineering step is required; the attacker sends the malicious payload directly to the service endpoint.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is needed.

Blast Radius

  • Crashes or exhausts the targeted Spring HATEOAS service, making it completely unavailable to legitimate users.
  • No confidential data is read or extracted; the impact is limited to availability.
  • No stored data is modified or deleted; integrity of the application state is unaffected.
  • Depending on deployment topology, a crashed service may trigger cascading failures in dependent microservices that rely on its hypermedia responses.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and remediation capabilities for CVE-2026-41006 are ready for any customer environment running an affected Spring HATEOAS version. For environments with auto-remediation enabled, HarborGuard can rebuild the image at the appropriate fix branch (1.5.7, 2.3.5, 2.4.2, 2.5.3, or 3.0.4), execute a regression test run, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy permits auto-remediation, no manual steps are required. Customers who manage remediation manually can use HarborGuard scan results to identify every image in their registry that bundles an affected version and prioritize upgrades accordingly. Because this vulnerability is network-reachable and requires no authentication, customers running exposed Spring HATEOAS endpoints should treat this as urgent regardless of auto-remediation status.

See how HarborGuard automates this

Fix available

1.5.72.3.52.4.22.5.33.0.4
Affected packages
  • Spring / Spring HATEOAS
    < 1.5.7 (from 1.5.0) · < 2.3.5 (from 2.3.0) · < 2.4.2 (from 2.4.0) · < 2.5.3 (from 2.5.0) · < 3.0.4 (from 3.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References