Bean Property Binding Bypass in Spring HATEOAS

Executive Summary

CVE-2026-41006 is a security vulnerability in Spring HATEOAS affecting certain versions. It involves the Collection+JSON and UBER media type deserializers, which use the PropertyUtils.createObjectFromProperties method to bind bean properties via reflection. This method does not respect Jackson access-control annotations, which are normally used to restrict access to certain properties.

As a result, applications that enable these hypermedia types and expose controllers accepting RepresentationModel or EntityModel subclasses as request bodies may unintentionally allow binding to security-sensitive properties that should be protected. This can lead to manipulation of properties that are supposed to be restricted.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unintended binding of security-sensitive properties in applications using certain Spring HATEOAS hypermedia types, potentially enabling manipulation of data that should be protected. Such unauthorized manipulation of sensitive properties could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require strict controls over access and modification of sensitive information.

Applications affected are those that enable COLLECTION_JSON or UBER hypermedia types and expose controllers accepting certain model subclasses as request bodies without additional setter restrictions beyond Jackson annotations. Because the vulnerability bypasses Jackson access-control annotations, it undermines the intended security controls, increasing the risk of non-compliance with regulations that mandate proper access control and data integrity.

Mitigation involves upgrading to fixed versions of Spring HATEOAS, which restores proper enforcement of access controls and helps maintain compliance with relevant security standards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact applications by allowing attackers to manipulate security-sensitive properties that are intended to be protected by Jackson annotations but are not explicitly restricted by setters.

If your application uses the COLLECTION_JSON or UBER hypermedia types and exposes controllers that accept certain model subclasses as request bodies, an attacker could exploit this flaw to alter properties that could affect the security or behavior of your application.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Spring HATEOAS to a fixed version.

• Upgrade to version 1.5.7 (Enterprise Support only)
• Upgrade to version 2.3.5 (Enterprise Support only)
• Upgrade to version 2.4.2 (Enterprise Support only)
• Upgrade to version 2.5.3 (Open Source Software)
• Upgrade to version 3.0.4 (Open Source Software)

Unsupported versions remain vulnerable and should be upgraded as soon as possible.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects applications using Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3 that enable the COLLECTION_JSON or UBER hypermedia types.

Detection involves verifying the version of Spring HATEOAS used in your application and checking if your application uses the Collection+JSON or UBER media types, especially if it exposes controllers accepting RepresentationModel or EntityModel subclasses as request bodies.

No specific network or system commands for detection are provided in the available resources.

Useful 0 Not Useful 0