CVE-2026-41728

Vulnerability

Spring Data REST's JSON Patch (application/json-patch+json) implementation fails to apply write-access filters to intermediate path segments when resolving multi-segment JSON Pointers. This vulnerability affects applications with domain models containing embeddable objects, collections, or maps where the container is marked read-only at the Jackson level, but the inner element type lacks per-field restrictions. Affected versions include Spring Data REST 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted JSON Patch request. The attacker needs to target an endpoint that exposes a JSON Patch endpoint and has a domain model with a nested structure where the outer container is read-only but the inner elements are not restricted. By carefully constructing a multi-segment JSON Pointer within the patch request, the attacker can bypass the read-only filter on intermediate path segments and modify data within the nested structure [1].

Impact

Successful exploitation allows an attacker to modify data within nested objects, collections, or maps that are otherwise protected by read-only restrictions. This can lead to unauthorized data modification, potentially corrupting application state or injecting malicious content, depending on the specific data structure and application logic. The impact is primarily on data integrity [1].

Mitigation

Users of affected versions should upgrade to the following fixed versions: Spring Data REST 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6. Versions that are no longer supported are also affected. No workarounds are specified in the available references [1].