Spring GraphQL Annotation Detection Vulnerability
CVE-2026-41856

7.5HIGH

Key Information:

Vendor: Spring
Status: Spring For Graphql
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-41856?

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Affected Version(s)

Spring for GraphQL 2.0.0 < 2.0.4

Spring for GraphQL 1.4.0 < 1.4.6

Spring for GraphQL 1.3.0 < 1.3.9

References

https://spring.io/security/cve-2026-41856

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41856 Data

JSON