CVE-2026-41837
Received Received - Intake
Spring Data REST Path Traversal via Querydsl Filter

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VMware

Description
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-41837
EUVD
EUVD-2026-35910
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring_project spring_data_rest From 3.7.0 (inc) to 3.7.19 (inc)
spring_project spring_data_rest From 4.3.0 (inc) to 4.3.16 (inc)
spring_project spring_data_rest From 4.4.0 (inc) to 4.4.14 (inc)
spring_project spring_data_rest From 4.5.0 (inc) to 4.5.11 (inc)
spring_project spring_data_rest From 5.0.0 (inc) to 5.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41837 is a medium-severity vulnerability in Spring Data REST's Querydsl integration. The issue arises because the integration accepts arbitrary persistent property paths as filter keys in request parameters without considering Jackson customizations before passing them to Querydsl.

This means that fields which Jackson normally hides can be exposed unintentionally, potentially leading to data exposure that was not intended by the application developers.

Impact Analysis

The vulnerability can lead to unintended data exposure because it allows attackers to use arbitrary persistent property paths as filter keys, bypassing Jackson's usual protections.

This could result in sensitive or private data being accessible through the API that should normally be hidden, increasing the risk of data leaks.

Mitigation Strategies

To mitigate CVE-2026-41837, users should upgrade to the fixed versions of Spring Data REST beyond the affected versions.

As a temporary workaround, affected repositories can implement QuerydslBinderCustomizer and call bindings.excludeUnlistedProperties(true) with an explicit allow-list of filterable property paths.

Compliance Impact

This vulnerability could lead to unintended data exposure by allowing access to fields that are normally hidden by Jackson customizations. Such unintended exposure of sensitive or personal data may impact compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to personal and sensitive information.

Organizations using affected versions of Spring Data REST should consider this risk when evaluating their compliance posture and apply the recommended mitigations or upgrades to prevent potential violations of these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart