{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-41856","status":"final","version":"1","initial_release_date":"2026-06-11T05:05:00.491Z","current_release_date":"2026-06-11T15:16:55.976Z","revision_history":[{"date":"2026-06-11T05:05:00.491Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-41856 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-41856"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-41856"},{"category":"external","summary":"spring.io","url":"https://spring.io/security/cve-2026-41856"}]},"product_tree":{"branches":[{"category":"vendor","name":"Spring","branches":[{"category":"product_name","name":"Spring for GraphQL","branches":[{"category":"product_version_range","name":">=2.0.0 <2.0.4","product":{"name":"Spring Spring for GraphQL >=2.0.0 <2.0.4","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_for_graphql:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1.4.0 <1.4.6","product":{"name":"Spring Spring for GraphQL >=1.4.0 <1.4.6","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_for_graphql:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1.3.0 <1.3.9","product":{"name":"Spring Spring for GraphQL >=1.3.0 <1.3.9","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_for_graphql:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=1.0.0 <1.0.7","product":{"name":"Spring Spring for GraphQL >=1.0.0 <1.0.7","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:spring:spring_for_graphql:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-41856","title":"Spring GraphQL Annotation Detection Vulnerability","notes":[{"category":"description","text":"The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 1.0.7, 1.3.9, 1.4.6, 2.0.4.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4"]}]}]}