CVE-2026-41728

Awaiting Analysis Awaiting Analysis - Queue

JSON Patch Path Traversal in Spring Data REST

Publication date: 2026-06-10

Last updated on: 2026-06-22

Assigner: VMware

Description

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-22

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-41728

EUVD

EUVD-2026-35905

Affected Vendors & Products

Vendor	Product	Version / Range
vmware	spring_data_rest	From 3.7.0 (inc) to 3.7.19 (inc)
vmware	spring_data_rest	From 4.3.0 (inc) to 4.3.16 (inc)
vmware	spring_data_rest	From 4.4.0 (inc) to 4.4.14 (inc)
vmware	spring_data_rest	From 4.5.0 (inc) to 4.5.11 (inc)
vmware	spring_data_rest	From 5.0.0 (inc) to 5.0.5 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-284	The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

Compliance Impact

The vulnerability in Spring Data REST allows attackers to bypass write restrictions on nested objects and collections, potentially leading to unauthorized modification of data.

Such unauthorized data modifications can impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity and protection against unauthorized changes.

Therefore, applications affected by this vulnerability may face increased risk of non-compliance due to the potential for unauthorized data alteration.

Executive Summary

CVE-2026-41728 is a security vulnerability in Spring Data REST's JSON Patch implementation. The issue arises because the implementation does not properly enforce write-access restrictions on intermediate path segments when resolving multi-segment JSON Pointer paths.

This flaw allows attackers to bypass write restrictions on nested objects and collections within the domain model, even if the container is marked as read-only at the Jackson serialization level.

It particularly affects applications that use embeddable objects, collections, or map properties where the container is read-only but the inner elements lack field-level restrictions.

Impact Analysis

This vulnerability can lead to unauthorized modification of data within affected applications. Attackers can exploit the flaw to change nested objects or collections that should be protected by write-access filters.

Such unauthorized changes can compromise the integrity of the application's data, potentially leading to data corruption or manipulation without proper authorization.

Mitigation Strategies

To mitigate the risk of CVE-2026-41728, users should upgrade their Spring Data REST versions to the fixed releases.

Upgrade to version 3.7.20 (commercial) if using the 3.7.x series.
Upgrade to version 4.3.17 (commercial) if using the 4.3.x series.
Upgrade to version 4.4.15 (commercial) if using the 4.4.x series.
Upgrade to version 4.5.12 (OSS) if using the 4.5.x series.
Upgrade to version 5.0.6 (OSS) if using the 5.0.x series.

Hi! I’m here to help you understand CVE-2026-41728. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70