CVE-2026-41856
Received Received - Intake
Incorrect Authorization Due to Annotation Resolution in Spring for GraphQL

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-41856
EUVD
EUVD-2026-36214
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_for_graphql From 1.0.0 (inc) to 2.0.3 (inc)
vmware spring_for_graphql From 1.0.0 (inc) to 1.4.5 (inc)
vmware spring_for_graphql From 1.3.0 (inc) to 1.3.8 (inc)
vmware spring_for_graphql From 1.0.0 (inc) to 1.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41856 is a high-severity vulnerability in Spring for GraphQL that affects applications using Spring Security's @EnableMethodSecurity feature.

The issue occurs because Spring GraphQL's annotation detection mechanism fails to correctly resolve security annotations on methods within type hierarchies, specifically for @Controller data fetchers.

As a result, authorization checks that rely on these annotations can be bypassed at runtime, potentially allowing unauthorized access.

This vulnerability only impacts applications that have Spring Security on the classpath, use @EnableMethodSecurity for security checks, and implement @Controller classes within type hierarchies.

Impact Analysis

This vulnerability can allow attackers to bypass authorization checks in affected Spring for GraphQL applications.

If your application meets the conditions (using Spring Security, @EnableMethodSecurity, and @Controller classes in type hierarchies), unauthorized users might gain access to protected resources or perform actions without proper permissions.

This can lead to exposure of sensitive data or unauthorized operations, impacting the confidentiality of your system.

Detection Guidance

This vulnerability affects applications using Spring Security's @EnableMethodSecurity feature with Spring for GraphQL in certain versions. Detection involves identifying if your application uses affected versions of Spring for GraphQL and relies on @EnableMethodSecurity with @Controller classes in type hierarchies.

There are no specific network or system commands provided to detect this vulnerability directly.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Spring for GraphQL to the fixed versions: 2.0.4, 1.4.6, 1.3.9, or 1.0.7, depending on your release track.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

This vulnerability can impact compliance with common standards and regulations such as GDPR and HIPAA because it allows security annotations used for authorization decisions to be ignored at runtime. This means unauthorized access to sensitive data or functions could occur if the application relies on Spring Security's @EnableMethodSecurity feature and is affected by this issue. Such unauthorized access could lead to violations of data protection and privacy requirements mandated by these regulations.

To maintain compliance, affected applications should upgrade to the fixed versions of Spring for GraphQL (2.0.4, 1.4.6, 1.3.9, or 1.0.7) to ensure that authorization checks are properly enforced and security annotations are correctly resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart