CVE-2026-41856 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2026-41856

Analyzed

More Info Official Page

Source-security@vmware.com

Published At-11 Jun, 2026 | 07:16

Updated At-12 Jun, 2026 | 14:14

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CPE Matches

VMware (Broadcom Inc.)

>>spring_for_graphql>>Versions from 1.0.0(inclusive) to 1.0.7(exclusive)

cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_for_graphql>>Versions from 1.3.0(inclusive) to 1.3.9(exclusive)

cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_for_graphql>>Versions from 1.4.0(inclusive) to 1.4.6(exclusive)

cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*

VMware (Broadcom Inc.)

>>spring_for_graphql>>Versions from 2.0.0(inclusive) to 2.0.4(exclusive)

cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-284	Secondary	security@vmware.com

CWE ID: CWE-284

Type: Secondary

Source: security@vmware.com

References

Hyperlink	Source	Resource
https://spring.io/security/cve-2026-41856	security@vmware.com	Vendor Advisory

Hyperlink: https://spring.io/security/cve-2026-41856

Source: security@vmware.com

Resource:

Vendor Advisory