CVE-2026-41856

Vulnerability

A flaw in the annotation detection mechanism for @Controller data fetchers within Spring for GraphQL [1] may not correctly resolve annotations on methods inside type hierarchies. This affects versions 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, 1.3.0 through 1.3.8, and 1.0.0 through 1.0.6 [1]. The vulnerability is exploitable only when three conditions are simultaneously met: Spring Security is on the classpath, the application relies on @EnableMethodSecurity for authorization checks, and @Controller classes are implemented within type hierarchies [1].

Exploitation

An attacker must be in a position to send crafted GraphQL queries to the application [1]. No authentication is required to reach the vulnerable code path, and no specialized privileges on the target system are needed. The attacker triggers a GraphQL operation that invokes a data fetcher method whose security annotation (e.g., @PreAuthorize) was misresolved due to the annotation detection bug, causing the authorization check to be silently skipped at runtime [1].

Impact

Successful exploitation results in the bypass of security annotations intended to gate access to data fetchers [1]. The primary consequence is unauthorized disclosure of information—the attacker can retrieve data that should have been protected by method-level authorization. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) yields a base score of 7.5 (High), reflecting high impact on confidentiality with no impact on integrity or availability [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed version as shown in the advisory [1]: 2.0.x to 2.0.4 (OSS fix), 1.4.x to 1.4.6 (OSS fix), 1.3.x to 1.3.9 (commercial fix), and 1.0.x to 1.0.7 (commercial fix) [1]. No further mitigation steps are necessary after upgrading [1]. This CVE is not listed on the KEV catalog as of the publication date.