Description
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization.

Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
Published: 2026-06-11
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring for GraphQL is vulnerable to unsafe deserialization when processing paginated GraphQL queries. The flaw allows an attacker to craft a malicious GraphQL request that triggers deserialization of arbitrary classes present on the application’s classpath, leading to remote code execution. This is a classic CWE‑502 deserialization weakness that compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

Affected products are Spring for GraphQL from Oracle/Spring. The vulnerability impacts the following version ranges: 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, and 1.3.0 through 1.3.8. Any deployment utilizing these versions and exposing a paginated (Connection) field is susceptible.

Risk and Exploitability

The CVSS score of 8.1 places this issue in the high‑severity category. EPSS data is unavailable, so the current exploitation probability is unknown, but the fact that the flaw can be triggered via a standard GraphQL endpoint means it can be reachable remotely. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known active exploits, yet the high impact and inherent accessibility warrant prompt action. An attacker would need to target an exposed GraphQL API that supports pagination and include specific classes on the application classpath to leverage deserialization.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring for GraphQL to the latest version that excludes the vulnerable deserialization logic (e.g., 2.0.4 or later).
  • Remove or prevent the presence of classes on the classpath that could be exploited during deserialization, such as those from third‑party libraries or custom application classes.
  • Configure the application to restrict deserialization by enabling safe deserialization settings, or add a security filter that validates incoming GraphQL payloads against a whitelist of allowed types.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41699 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
Title Unsafe Deserialization in Spring GraphQL
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:43.290Z

Reserved: 2026-04-22T06:21:22.982Z

Link: CVE-2026-41699

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:28.280

Modified: 2026-06-11T07:16:28.280

Link: CVE-2026-41699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses