{"cve":{"cve_id":"CVE-2026-41856","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00352,"epss_percentile":0.2692,"epss_as_of":"2026-06-23","description":"The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime.\n\nAffected versions:\nSpring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.","published_at":"2026-06-11T05:05:00.491000Z","last_modified_at":null,"cvss_v3_score":7.5,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-284"],"nvd_references":["https://spring.io/security/cve-2026-41856"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:30:17.617015Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"spring","vendor_name":"Spring","product_slug":"spring-for-graphql","product_name":"Spring for GraphQL","version_start":"2.0.0","version_start_inclusive":true,"version_end":"2.0.4","version_end_inclusive":false,"cpe23_uri":"cve5:spring:spring-for-graphql:2.0.0:2.0.4"},{"vendor_slug":"spring","vendor_name":"Spring","product_slug":"spring-for-graphql","product_name":"Spring for GraphQL","version_start":"1.4.0","version_start_inclusive":true,"version_end":"1.4.6","version_end_inclusive":false,"cpe23_uri":"cve5:spring:spring-for-graphql:1.4.0:1.4.6"},{"vendor_slug":"spring","vendor_name":"Spring","product_slug":"spring-for-graphql","product_name":"Spring for GraphQL","version_start":"1.3.0","version_start_inclusive":true,"version_end":"1.3.9","version_end_inclusive":false,"cpe23_uri":"cve5:spring:spring-for-graphql:1.3.0:1.3.9"},{"vendor_slug":"spring","vendor_name":"Spring","product_slug":"spring-for-graphql","product_name":"Spring for GraphQL","version_start":"1.0.0","version_start_inclusive":true,"version_end":"1.0.7","version_end_inclusive":false,"cpe23_uri":"cve5:spring:spring-for-graphql:1.0.0:1.0.7"}],"exploit_refs":[],"news":[],"references":[{"url":"https://spring.io/security/cve-2026-41856","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-11T05:05:00.491000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:54:07.258310Z","label":"CVSS score revised","source":"cvelistv5"}]}