CVE-2026-41006

Published: Jun 9, 2026Modified: Jun 11, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: security@vmware.com (Secondary)

Description

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.

Affected (5)

Products: Vmware: Spring Hateoas

Vmware

1 product

Spring Hateoas

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring Hateoas	From 1.5.0 to 1.5.7
Vmware Spring Hateoas	From 2.3.0 to 2.3.5
Vmware Spring Hateoas	From 2.4.0 to 2.4.2
Vmware Spring Hateoas	From 2.5.0 to 2.5.3
Vmware Spring Hateoas	From 3.0.0 to 3.0.4

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

https://spring.io/security/cve-2026-41006

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.