HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41728Published Modified CNA vmware

CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
3.7.20
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authorization bypass vulnerability in Spring Data REST's JSON Patch implementation. An unauthenticated attacker can reach the affected service over the network and send a crafted PATCH request using a multi-segment JSON Pointer path, which causes the write-access filter to be skipped for intermediate path segments, allowing fields marked as read-only to be overwritten. Successful exploitation lets an attacker tamper with data that should be immutable, including nested objects and collections protected by Jackson's read-only annotations. Patched-image rebuilds at versions 3.7.20, 4.3.17, 4.4.15, 4.5.12, and 5.0.6 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Spring Data REST.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and is capable of weighting that score against each environment's compliance policy to prioritize routing; findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the applicable fix version (3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6, depending on the branch in use) is available on HarborGuard for affected images. For customers who opt into auto-remediation, the platform can trigger a rebuild, run a regression test suite against the updated image, and open a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Spring Data REST endpoint over the network and send HTTP PATCH requests to it.

  • AuthenticationNot required

    No credentials or session token are needed; the malicious PATCH request can be sent by any unauthenticated caller.

  • Victim interactionNot required

    No user action is required; the attacker sends the crafted request directly to the service without involving any other party.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the attacker constructs a JSON Patch document with a multi-segment path and sends it, with no race conditions or special environmental state required.

Blast Radius

  • An attacker overwrites fields on server-side domain objects that are explicitly marked read-only via Jackson annotations, bypassing the intended access control boundary.
  • Nested objects and collection elements within the targeted resource can be mutated, meaning an attacker can alter relational data that spans multiple levels of the object graph.
  • Modified records are persisted to the backing data store, so the tampering survives restarts and affects all downstream consumers of that data.
  • There is no confidentiality or availability impact: data is not disclosed and services are not disrupted, but the integrity of persisted application state is directly compromised.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41728 is active against any image containing an affected Spring Data REST version across the 3.7, 4.3, 4.4, 4.5, and 5.0 release lines. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to the appropriate fix version, a regression-test run against that image, and a PR opened against affected workload manifests. For high-severity CVEs, the median time from publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. For environments where auto-remediation is not enabled, the finding is surfaced in the HarborGuard dashboard with fix-version guidance so engineering teams can act manually. Until a patched image is deployed, network-policy controls that restrict which callers can issue PATCH requests to Spring Data REST endpoints serve as a compensating control, limiting exposure to trusted internal services rather than open internet traffic.

See how HarborGuard automates this

Fix available

3.7.204.3.174.4.154.5.125.0.6
Affected packages
  • Spring / Spring Data REST
    < 3.7.20 (from 3.7.0) · < 4.3.17 (from 4.3.0) · < 4.4.15 (from 4.4.0) · < 4.5.12 (from 4.5.0) · < 5.0.6 (from 5.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References