PatchSiren cyber security CVE debrief
CVE-2026-41837 Spring CVE debrief
CVE-2026-41837 is a vulnerability in Spring Data REST's Querydsl integration. The affected versions are Spring Data REST 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5. This vulnerability allows arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. The CVSS score is 5.3, and the severity is MEDIUM.
- Vendor
- Spring
- Product
- Spring Data REST
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 should be aware of this vulnerability and take necessary actions.
Technical summary
The vulnerability is caused by Spring Data REST's Querydsl integration accepting arbitrary persistent property paths as request-parameter filter keys without considering Jackson customizations.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a non-vulnerable version of Spring Data REST.
- Implement additional security measures to restrict access to sensitive data.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].
Official resources
-
CVE-2026-41837 CVE record
CVE.org
-
CVE-2026-41837 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41837 was published on 2026-06-10T00:16:52.830Z and modified on 2026-06-10T19:24:04.320Z.