CVE-2026-41728
Received Received - Intake
JSON Patch Path Traversal in Spring Data REST

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41728
EUVD
EUVD-2026-35905
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring spring_data_rest From 3.7.0 (inc) to 3.7.19 (inc)
spring spring_data_rest From 4.3.0 (inc) to 4.3.16 (inc)
spring spring_data_rest From 4.4.0 (inc) to 4.4.14 (inc)
spring spring_data_rest From 4.5.0 (inc) to 4.5.11 (inc)
spring spring_data_rest From 5.0.0 (inc) to 5.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41728 is a security vulnerability in Spring Data REST's JSON Patch implementation. The issue arises because the implementation does not properly enforce write-access restrictions on intermediate path segments when resolving multi-segment JSON Pointer paths.

This flaw allows attackers to bypass write restrictions on nested objects and collections within the domain model, even if the container is marked as read-only at the Jackson serialization level.

It particularly affects applications that use embeddable objects, collections, or map properties where the container is read-only but the inner elements lack field-level restrictions.

Impact Analysis

This vulnerability can lead to unauthorized modification of data within affected applications. Attackers can exploit the flaw to change nested objects or collections that should be protected by write-access filters.

Such unauthorized changes can compromise the integrity of the application's data, potentially leading to data corruption or manipulation without proper authorization.

Mitigation Strategies

To mitigate the risk of CVE-2026-41728, users should upgrade their Spring Data REST versions to the fixed releases.

  • Upgrade to version 3.7.20 (commercial) if using the 3.7.x series.
  • Upgrade to version 4.3.17 (commercial) if using the 4.3.x series.
  • Upgrade to version 4.4.15 (commercial) if using the 4.4.x series.
  • Upgrade to version 4.5.12 (OSS) if using the 4.5.x series.
  • Upgrade to version 5.0.6 (OSS) if using the 5.0.x series.
Compliance Impact

The vulnerability in Spring Data REST allows attackers to bypass write restrictions on nested objects and collections, potentially leading to unauthorized modification of data.

Such unauthorized data modifications can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and protection against unauthorized changes.

Therefore, applications affected by this vulnerability may face increased risk of non-compliance due to the potential for unauthorized data alteration.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart