PatchSiren cyber security CVE debrief
CVE-2026-41856 Vmware CVE debrief
CVE-2026-41856 is a HIGH severity vulnerability in Spring for GraphQL. The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions include Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
- Vendor
- Vmware
- Product
- Spring For Graphql
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Spring for GraphQL, particularly those using annotations for authorization decisions, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability arises from the annotation detection mechanism in Spring for GraphQL not correctly resolving annotations on methods within type hierarchies. This can lead to security annotations being ignored at runtime, potentially allowing unauthorized access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring for GraphQL.
- Review and update authorization decisions to ensure they are not relying on ignored annotations.
Evidence notes
The CVE-2026-41856 vulnerability has been analyzed and verified by the NVD.
Official resources
-
CVE-2026-41856 CVE record
CVE.org
-
CVE-2026-41856 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41856 was published on 2026-06-11T07:16:28.513Z and modified on 2026-06-12T14:14:06.457Z.