PatchSiren cyber security CVE debrief

CVE-2026-41006 Spring CVE debrief

A high-severity vulnerability, CVE-2026-41006, was found in Spring HATEOAS, affecting versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3. The vulnerability is caused by the internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performing bean property binding via reflection without consulting Jackson access-control annotations.

Vendor: Spring
Product: Spring HATEOAS
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-09
Original CVE updated: 2026-06-11
Advisory published: 2026-06-09
Advisory updated: 2026-06-11

Who should care

Users of affected Spring HATEOAS versions should update to a patched version to mitigate this vulnerability.

Technical summary

The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The weakness is described as CWE-284.

Defensive priority

High

Recommended defensive actions

Update to a patched version of Spring HATEOAS: 1.5.7 or later, 2.3.5 or later, 2.4.2 or later, 2.5.3 or later, or 3.0.4 or later.
Refer to the vendor advisory for more information: [ref-4]

Evidence notes

The CVE record [cve-org] and NVD detail [nvd] provide additional information about the vulnerability.

Official resources

CVE-2026-41006 CVE record
CVE.org
CVE-2026-41006 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE-2026-41006 was published on 2026-06-09T05:16:34.910Z and modified on 2026-06-11T17:05:18.407Z.