CVE-2026-41699

Vulnerability

Spring for GraphQL versions 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, and 1.3.0 through 1.3.8 are vulnerable to unsafe deserialization when processing paginated GraphQL queries. The vulnerability arises when an application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious GraphQL request targeted at a paginated field. No authentication or special network position is required beyond the ability to send GraphQL queries to the affected application. The attacker must include a malicious payload in the pagination arguments that triggers unsafe deserialization when the application processes the request [1].

Impact

Successful exploitation can lead to Remote Code Execution (RCE) on the server running the vulnerable application. The attacker gains the ability to execute arbitrary code with the privileges of the application process, leading to full compromise of confidentiality, integrity, and availability [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed version: 2.0.4, 1.4.6, or 1.3.9, depending on the major/minor branch. No additional mitigation steps are necessary beyond applying the patch [1]. Versions that are no longer supported are also affected; users on such versions should upgrade to a supported release.