PatchSiren cyber security CVE debrief
CVE-2026-41728 Spring CVE debrief
CVE-2026-41728 is a HIGH severity vulnerability in Spring Data REST's JSON Patch (application/json-patch+json) implementation. The vulnerability occurs because the write-access filter is not applied to intermediate path segments when resolving a multi-segment JSON Pointer. This issue affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.
- Vendor
- Spring
- Product
- Spring Data REST
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected Spring Data REST versions should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The weakness associated with this vulnerability is CWE-284.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Data REST.
- Apply the patches provided by the vendor.
Evidence notes
The CVE record was published on 2026-06-10T00:16:52.260Z and last modified on 2026-06-10T19:24:04.320Z. The vulnerability was reported by [email protected].
Official resources
-
CVE-2026-41728 CVE record
CVE.org
-
CVE-2026-41728 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41728 was published on 2026-06-10T00:16:52.260Z.