PatchSiren cyber security CVE debrief
CVE-2026-41699 Spring CVE debrief
CVE-2026-41699 is a HIGH severity vulnerability in Spring for GraphQL applications, allowing for Remote Code Execution via Unsafe Deserialization when handling paginated GraphQL queries. An attacker can craft a malicious GraphQL request to exploit this vulnerability when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization.
- Vendor
- Spring
- Product
- Spring for GraphQL
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Spring for GraphQL versions 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, and 1.3.0 through 1.3.8 should be aware of this vulnerability.
Technical summary
The vulnerability arises from unsafe deserialization when processing paginated GraphQL queries in Spring for GraphQL applications. This can lead to Remote Code Execution if the application exposes a paginated (Connection) field and certain classes are present in the classpath that can be exploited during deserialization.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring for GraphQL.
- Implement secure deserialization practices.
- Restrict exposure of paginated (Connection) fields.
Evidence notes
The CVE-2026-41699 vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. Affected versions include Spring for GraphQL 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, and 1.3.0 through 1.3.8.
Official resources
-
CVE-2026-41699 CVE record
CVE.org
-
CVE-2026-41699 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41699 was published on 2026-06-11T07:16:28.280Z and modified on 2026-06-12T19:28:55.920Z.