CVE-2026-41006
Received Received - Intake
Bean Property Binding Bypass in Spring HATEOAS

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41006
EUVD
EUVD-2026-35345
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring hateoas From 1.5.0 (inc) to 1.5.6 (inc)
spring hateoas From 2.3.0 (inc) to 2.3.4 (inc)
spring hateoas From 2.4.0 (inc) to 2.4.1 (inc)
spring hateoas From 2.5.0 (inc) to 2.5.2 (inc)
spring hateoas From 3.0.0 (inc) to 3.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41006 is a security vulnerability in Spring HATEOAS affecting certain versions. It involves the Collection+JSON and UBER media type deserializers, which use the PropertyUtils.createObjectFromProperties method to bind bean properties via reflection. This method does not respect Jackson access-control annotations, which are normally used to restrict access to certain properties.

As a result, applications that enable these hypermedia types and expose controllers accepting RepresentationModel or EntityModel subclasses as request bodies may unintentionally allow binding to security-sensitive properties that should be protected. This can lead to manipulation of properties that are supposed to be restricted.

Impact Analysis

This vulnerability can impact applications by allowing attackers to manipulate security-sensitive properties that are intended to be protected by Jackson annotations but are not explicitly restricted by setters.

If your application uses the COLLECTION_JSON or UBER hypermedia types and exposes controllers that accept certain model subclasses as request bodies, an attacker could exploit this flaw to alter properties that could affect the security or behavior of your application.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Spring HATEOAS to a fixed version.

  • Upgrade to version 1.5.7 (Enterprise Support only)
  • Upgrade to version 2.3.5 (Enterprise Support only)
  • Upgrade to version 2.4.2 (Enterprise Support only)
  • Upgrade to version 2.5.3 (Open Source Software)
  • Upgrade to version 3.0.4 (Open Source Software)

Unsupported versions remain vulnerable and should be upgraded as soon as possible.

Compliance Impact

This vulnerability allows unintended binding of security-sensitive properties in applications using certain Spring HATEOAS hypermedia types, potentially enabling manipulation of data that should be protected. Such unauthorized manipulation of sensitive properties could lead to violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require strict controls over access and modification of sensitive information.

Applications affected are those that enable COLLECTION_JSON or UBER hypermedia types and expose controllers accepting certain model subclasses as request bodies without additional setter restrictions beyond Jackson annotations. Because the vulnerability bypasses Jackson access-control annotations, it undermines the intended security controls, increasing the risk of non-compliance with regulations that mandate proper access control and data integrity.

Mitigation involves upgrading to fixed versions of Spring HATEOAS, which restores proper enforcement of access controls and helps maintain compliance with relevant security standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart