Description
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected versions:
Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Data REST includes a JSON Patch implementation that, when resolving a multi-segment JSON Pointer, fails to apply the write-access filter to intermediate segments. The result is that an attacker can modify properties that are intended to be read‑only on nested objects and collections, thereby violating access control and potentially altering sensitive data or configuration settings. The weakness is classified as an access control violation (CWE‑284).

Affected Systems

The vulnerability affects Spring:Spring Data REST across several releases: 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but based on the description it is inferred that the likely attack vector is remote: a remote attacker can craft a JSON Patch request to a public REST endpoint, supply a JSON Pointer that targets a read‑only property, and the server will apply the change. Because no special conditions are required beyond reaching the endpoint, the likelihood of exploitation is reasonable for exposed services.

Generated by OpenCVE AI on June 10, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Data REST to a fixed release (e.g., 3.7.20 or later, 4.3.17 or later, 4.4.15 or later, 4.5.12 or later, 5.0.6 or later).
  • If an upgrade is not immediately possible, block or disable the JSON Patch (application/json-patch+json) content type for any services that expose read‑only resources, or ensure those endpoints reject patch operations that modify protected properties.
  • Apply additional runtime checks or custom filters that enforce read‑only restrictions on nested objects and collections to prevent unintended modifications until a patch is deployed.

Generated by OpenCVE AI on June 10, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41728 cve-icon cve-icon
History

Wed, 10 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Title Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-09T23:49:13.279Z

Reserved: 2026-04-22T06:21:39.014Z

Link: CVE-2026-41728

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T00:16:52.260

Modified: 2026-06-10T00:16:52.260

Link: CVE-2026-41728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:00:13Z

Weaknesses