HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41856Published Modified CNA vmware

CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
1.0.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization-bypass vulnerability affects Spring for GraphQL in versions 1.0.0 through 2.0.3 across all supported release lines. The flaw is reachable over the network without any authentication, and stems from the annotation detection mechanism for @Controller data fetchers failing to correctly resolve security annotations on methods within type hierarchies. Successful exploitation allows an unauthenticated remote attacker to read data that should be protected by authorization controls. Patched-image rebuilds at versions 1.0.7, 1.3.9, 1.4.6, and 2.0.4 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Spring for GraphQL. Any image found to carry an affected version is flagged immediately in the scan results.

Available
Triage

HarborGuard scores this issue at CVSS 7.5 HIGH and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy to determine urgency and escalation path. Triage findings are routed to the appropriate team inbox configured within each customer organization.

Available
Patch

A patched-image rebuild targeting the applicable fix version (1.0.7, 1.3.9, 1.4.6, or 2.0.4, matched to the release line in the scanned image) becomes available on HarborGuard once the fix is confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable GraphQL endpoint must be reachable over the network; an attacker can send crafted requests without requiring physical or local access.

  • AuthenticationNot required

    No credentials or session token are needed; the exploit is available to any unauthenticated caller who can reach the endpoint.

  • Victim interactionNot required

    No user action is needed; the attacker sends requests directly to the service without any social-engineering step.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race timing or specific memory layout.

Blast Radius

  • An attacker reads data returned by @Controller data fetcher methods that were intended to be restricted by security annotations, bypassing access controls silently at runtime.
  • Sensitive domain objects, query results, or business data exposed through the GraphQL schema can be retrieved without authorization.
  • No data modification or service disruption is enabled by this vulnerability; impact is limited to confidentiality of the data accessible via unprotected fetcher methods.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41856 is active across all connected registries and pipeline scan points, covering every affected release line of Spring for GraphQL. Where a customer image is found to carry an affected version, HarborGuard identifies the appropriate fix version from the set 1.0.7, 1.3.9, 1.4.6, and 2.0.4 and makes a patched-image rebuild available. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads are triggered automatically; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit auto-remediation, the rebuild is staged and a manual promotion step is surfaced in the HarborGuard dashboard. As a compensating control while a rebuild is being validated, network-policy isolation of the GraphQL endpoint to trusted internal callers only is recommended, reducing the exposure of unauthenticated access paths to the affected fetcher methods.

See how HarborGuard automates this

Fix available

1.0.71.3.91.4.62.0.4
Affected packages
  • Spring / Spring for GraphQL
    < 2.0.4 (from 2.0.0) · < 1.4.6 (from 1.4.0) · < 1.3.9 (from 1.3.0) · < 1.0.7 (from 1.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References