CVE-2026-41728 is an improper access control vulnerability (CWE-284) in Spring Data REST's JSON Patch (application/json-patch+json) implementation. The vulnerability occurs because the write-access filter is not enforced on intermediate path segments during the resolution of multi-segment JSON Pointers. This flaw can allow an attacker to perform unauthorized write operations on resources by bypassing intended access controls. The affected versions include 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 of Spring Data REST. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. There is no vendor advisory or patch link provided, and no known exploits in the wild have been reported.

This vulnerability allows an attacker to bypass write-access controls on intermediate path segments when applying JSON Patch requests, potentially enabling unauthorized modification of data. The integrity of affected systems can be compromised without requiring authentication or user interaction. There is no impact on confidentiality or availability according to the CVSS vector. The vulnerability is exploitable remotely over the network.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the JSON Patch API endpoints or implementing additional access control checks at the application level to mitigate unauthorized write operations.