CVE-2026-41699
Received Received - Intake
Unsafe Deserialization in Spring for GraphQL

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-41699
EUVD
EUVD-2026-36212
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
vmware spring_for_graphql From 1.3.0 (inc) to 1.3.8 (inc)
vmware spring_for_graphql From 1.4.0 (inc) to 1.4.5 (inc)
vmware spring_for_graphql From 2.0.0 (inc) to 2.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution through unsafe deserialization in Spring for GraphQL applications, which can lead to unauthorized access or control over affected systems.

Such unauthorized access or control could potentially result in breaches of sensitive data, thereby impacting compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

To maintain compliance, affected applications should be upgraded to fixed versions as recommended, mitigating the risk of exploitation.

Impact Analysis

This vulnerability can lead to Remote Code Execution, allowing an attacker to run arbitrary code on your system remotely.

Such an impact can compromise the confidentiality, integrity, and availability of your application and underlying systems.

Exploitation requires that the application exposes a paginated GraphQL field and contains certain exploitable classes in its classpath.

Executive Summary

CVE-2026-41699 is a high-severity vulnerability in Spring for GraphQL applications involving unsafe deserialization when processing paginated GraphQL queries.

The vulnerability occurs when an application exposes a paginated (Connection) field and has specific classes in its classpath that can be exploited during deserialization.

An attacker can craft a malicious GraphQL request that leverages this unsafe deserialization to achieve Remote Code Execution on the affected system.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Spring for GraphQL to the fixed versions.

  • Upgrade to version 2.0.4 if you are using the 2.0.x branch.
  • Upgrade to version 1.4.6 if you are using the 1.4.x branch.
  • Upgrade to version 1.3.9 if you are using the 1.3.x branch.

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart