VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 9, 2026

CVE-2026-41006

CVE-2026-41006

Description

Spring HATEOAS deserializers allow property binding via reflection, bypassing Jackson security annotations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Spring HATEOAS deserializers allow property binding via reflection, bypassing Jackson security annotations.

Vulnerability

Spring HATEOAS versions 1.5.0 through 1.5.6, 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, 2.5.0 through 2.5.2, and 3.0.0 through 3.0.3 are affected. The internal PropertyUtils.createObjectFromProperties method, utilized by the Collection+JSON and UBER media type deserializers, performs bean property binding through reflection without respecting Jackson access-control annotations. This vulnerability is exploitable in applications that enable Collection+JSON or UBER hypermedia types and expose controllers accepting RepresentationModel or EntityModel subclasses as @RequestBody, where the bound model has a setter for a security-sensitive property protected only by Jackson annotations [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to an application endpoint that accepts RepresentationModel or EntityModel subclasses via @RequestBody. The request must be formatted using the Collection+JSON or UBER media types. The attacker needs to target a model type that exposes a setter for a security-sensitive property, which is only protected by Jackson annotations and not by the absence of a setter. No specific authentication or network position is mentioned as required beyond the ability to send a request to the vulnerable endpoint [1].

Impact

Successful exploitation allows an attacker to bind properties to a model object via reflection, bypassing intended access controls enforced by Jackson annotations. This could lead to unauthorized modification or exposure of sensitive data, depending on the nature of the security-sensitive property. The exact impact, such as denial of service or unauthorized data manipulation, is contingent on the specific properties exposed by the model and the application's logic [1].

Mitigation

Users should upgrade to the following fixed versions: Spring HATEOAS 1.5.7 (Enterprise Support Only), 2.3.5 (Enterprise Support Only), 2.4.2 (Enterprise Support Only), 2.5.3 (OSS), or 3.0.4 (OSS). Versions that are no longer supported are also affected. No workarounds are specified if upgrading is not immediately possible [1].

References
  1. CVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Spring Projects/HATEOASllm-create
    Range: 1.5.0 - 1.5.6, 2.3.0 - 2.3.4, 2.4.0 - 2.4.1, 2.5.0 - 2.5.2, 3.0.0 - 3.0.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.