HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41699Published Modified CNA vmware

CVE-2026-41699: Unsafe Deserialization in Spring GraphQL

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
1.3.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Unsafe deserialization in Spring for GraphQL allows a remote, unauthenticated attacker to achieve remote code execution by sending a crafted paginated GraphQL query. The vulnerability is reachable over the network without any credentials, though exploitation requires specific classes to be present on the application classpath and involves non-trivial conditions reflected in the high attack complexity rating. Successful exploitation gives the attacker full control over the host process, including the ability to read sensitive data, modify application state, and crash the service. A patched-image rebuild at versions 1.3.9, 1.4.6, or 2.0.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring for GraphQL. Any image found running an affected version (Spring for GraphQL 1.3.0-1.3.8, 1.4.0-1.4.5, or 2.0.0-2.0.3) is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 HIGH and is capable of weighting that score against each environment's compliance policy to determine urgency and routing. Findings are routable to the appropriate team inbox within a customer org based on service ownership and policy thresholds.

Available
Patch

A patched-image rebuild at fix versions 1.3.9, 1.4.6, or 2.0.4 becomes available through HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the GraphQL endpoint over the network; no local access or prior foothold is required.

  • AuthenticationNot required

    No credentials or session token are needed to send the malicious paginated query.

  • Victim interactionNot required

    The attacker triggers the vulnerability entirely through their own crafted request; no user action is needed.

  • Attack complexityDetail

    Exploitation is non-trivial: the attacker must identify and target specific gadget classes on the application classpath to complete the deserialization chain.

Blast Radius

  • The attacker executes arbitrary code inside the application's runtime process, gaining the same OS-level privileges as the container or service account.
  • Confidential data accessible to the process, including environment variables, secrets, and in-memory session material, can be read and exfiltrated.
  • The attacker can modify application state, write to mounted volumes, or alter persisted records reachable from the compromised process.
  • The service can be crashed or rendered permanently unavailable by corrupting runtime state during deserialization.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected Spring for GraphQL version (1.3.0-1.3.8, 1.4.0-1.4.5, or 2.0.0-2.0.3), covering both upstream base images and customer-built images. Where compliance policy permits, HarborGuard can rebuild affected images at the appropriate fix version (1.3.9, 1.4.6, or 2.0.4). For customers with auto-remediation enabled, the full flow is available: image rebuild, regression-test run, and a pull request opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues. For environments where auto-remediation is not enabled, the finding is surfaced as a high-priority alert with fix-version guidance attached. While coordinating a fix, consider network-policy controls that restrict which services can reach the GraphQL endpoint, and audit the application classpath to identify and remove unnecessary deserialization gadget classes as a compensating control.

See how HarborGuard automates this

Fix available

1.3.91.4.62.0.4
Affected packages
  • Spring / Spring for GraphQL
    < 2.0.4 (from 2.0.0) · < 1.4.6 (from 1.4.0) · < 1.3.9 (from 1.3.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References