CVE-2026-41837: CWE-284: Improper Access Control in Spring Spring Data REST
CVE-2026-41837 is an improper access control vulnerability in Spring Data REST's Querydsl integration. It allows arbitrary persistent property paths to be used as request-parameter filter keys without considering Jackson customizations before passing them to Querydsl. This affects multiple versions of Spring Data REST from 3. 7. 0 through 3. 7. 19, 4. 3. 0 through 4. 3.
AI Analysis
Technical Summary
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not apply Jackson customizations before forwarding them to Querydsl. This improper access control (CWE-284) could allow unauthorized information disclosure by manipulating filter parameters. The vulnerability affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5. There is no vendor advisory or patch information available at this time.
Potential Impact
The vulnerability may allow an attacker to bypass intended access controls on data filtering, potentially leading to unauthorized partial disclosure of data. The CVSS score of 5.3 indicates a medium impact with network attack vector, no privileges required, no user interaction needed, and limited confidentiality impact. There is no indication of integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to affected endpoints or applying custom filtering logic to validate request parameters before they reach Querydsl. Monitor vendor channels for updates.
CVE-2026-41837: CWE-284: Improper Access Control in Spring Spring Data REST
Description
CVE-2026-41837 is an improper access control vulnerability in Spring Data REST's Querydsl integration. It allows arbitrary persistent property paths to be used as request-parameter filter keys without considering Jackson customizations before passing them to Querydsl. This affects multiple versions of Spring Data REST from 3. 7. 0 through 3. 7. 19, 4. 3. 0 through 4. 3.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not apply Jackson customizations before forwarding them to Querydsl. This improper access control (CWE-284) could allow unauthorized information disclosure by manipulating filter parameters. The vulnerability affects Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5. There is no vendor advisory or patch information available at this time.
Potential Impact
The vulnerability may allow an attacker to bypass intended access controls on data filtering, potentially leading to unauthorized partial disclosure of data. The CVSS score of 5.3 indicates a medium impact with network attack vector, no privileges required, no user interaction needed, and limited confidentiality impact. There is no indication of integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to affected endpoints or applying custom filtering logic to validate request parameters before they reach Querydsl. Monitor vendor channels for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-04-22T06:22:01.122Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a28a8098dd33fbd8595f11a
Added to database: 6/9/2026, 11:55:53 PM
Last enriched: 6/10/2026, 12:12:29 AM
Last updated: 6/10/2026, 6:22:51 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.