CVE-2026-41837

Vulnerability

Spring Data REST's Querydsl integration incorrectly accepts arbitrary persistent property paths as request-parameter filter keys. This occurs because the integration does not consider Jackson customizations before passing these paths to Querydsl. This vulnerability affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests with arbitrary persistent property paths as filter keys. These paths are not validated against Jackson's property hiding configurations, allowing the attacker to potentially access fields that should be inaccessible [1].

Impact

Successful exploitation allows an attacker to disclose sensitive information by accessing persistent fields that are hidden via Jackson customizations. The scope of the compromise is limited to the information that can be exposed through these filterable paths [1].

Mitigation

Users should upgrade to the following fixed versions: 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6. Until upgrading, applications can mitigate the issue by implementing QuerydslBinderCustomizer on each affected repository and calling bindings.excludeUnlistedProperties(true) along with an explicit allow-list of filterable property paths [1].