Description
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Published: 2026-06-11
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring GraphQL’s annotation detection mechanism can fail to resolve @Controller data fetcher annotations on methods that are inherited through type hierarchies. When this occurs, the runtime may ignore security annotations that are intended to enforce authorization, allowing a request to be processed without the expected access checks. The fundamental weakness is an Improper Access Control (CWE‑284), which can lead to unauthorized access to sensitive data or functionality that should be protected.

Affected Systems

The affected products are Spring for GraphQL releases 1.0.0 through 1.0.6, 1.3.0 through 1.3.8, 1.4.0 through 1.4.5, and 2.0.0 through 2.0.3. Any application that includes any of these versions and relies on the annotation mechanism for authorization is potentially impacted.

Risk and Exploitability

This vulnerability receives a CVSS score of 7.5, indicating high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Based on the description, the attack would likely involve crafting or sending a GraphQL query that invokes an inherited method whose authorization annotations are ignored, which could be performed remotely over the network where the GraphQL endpoint is exposed. Since the exploit requires the conditions that the authorization annotations are on a method in a type hierarchy and are mistakenly bypassed, the risk materializes primarily when the application trusts these annotations alone for access control.

Generated by OpenCVE AI on June 11, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Spring for GraphQL version 2.0.4 or later, where the annotation resolution bug has been fixed.
  • Avoid using authorization annotations on methods that are inherited from parent classes until the patch is applied, or replace them with explicit programmatic access checks.
  • Audit existing GraphQL controllers for methods that rely solely on annotations for authorization and add redundant checks or adhere to a consistent access control strategy.

Generated by OpenCVE AI on June 11, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41856 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Title Spring GraphQL Annotation Detection Vulnerability
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:05:00.491Z

Reserved: 2026-04-22T06:22:10.081Z

Link: CVE-2026-41856

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:28.513

Modified: 2026-06-11T07:16:28.513

Link: CVE-2026-41856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses