CVE-2026-41837
Awaiting Analysis Awaiting Analysis - Queue

Spring Data REST Path Traversal via Querydsl Filter

Publication date: 2026-06-10

Last updated on: 2026-06-22

Assigner: VMware

Description
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-22
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-41837
EUVD
EUVD-2026-35910

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_data_rest From 3.7.0 (inc) to 3.7.19 (inc)
vmware spring_data_rest From 4.3.0 (inc) to 4.3.16 (inc)
vmware spring_data_rest From 4.4.0 (inc) to 4.4.14 (inc)
vmware spring_data_rest From 4.5.0 (inc) to 4.5.11 (inc)
vmware spring_data_rest From 5.0.0 (inc) to 5.0.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability could lead to unintended data exposure by allowing access to fields that are normally hidden by Jackson customizations. Such unintended exposure of sensitive or personal data may impact compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to personal and sensitive information.

Organizations using affected versions of Spring Data REST should consider this risk when evaluating their compliance posture and apply the recommended mitigations or upgrades to prevent potential violations of these standards.

Executive Summary

CVE-2026-41837 is a medium-severity vulnerability in Spring Data REST's Querydsl integration. The issue arises because the integration accepts arbitrary persistent property paths as filter keys in request parameters without considering Jackson customizations before passing them to Querydsl.

This means that fields which Jackson normally hides can be exposed unintentionally, potentially leading to data exposure that was not intended by the application developers.

Impact Analysis

The vulnerability can lead to unintended data exposure because it allows attackers to use arbitrary persistent property paths as filter keys, bypassing Jackson's usual protections.

This could result in sensitive or private data being accessible through the API that should normally be hidden, increasing the risk of data leaks.

Mitigation Strategies

To mitigate CVE-2026-41837, users should upgrade to the fixed versions of Spring Data REST beyond the affected versions.

As a temporary workaround, affected repositories can implement QuerydslBinderCustomizer and call bindings.excludeUnlistedProperties(true) with an explicit allow-list of filterable property paths.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart