View all Vulnerabilities

CVE-2026-41006

Incorrectly Configured Access Control
Affects
Spring HATEOAS
in
Spring
No items found.
Versions
>=1.3.0 <=1.3.7, >=1.5.0 <=1.5.6, >=2.2.0 <=2.2.5, >=2.3.0 <=2.3.4, >=2.4.0 <=2.4.1, >=2.5.0 <=2.5.2, >=3.0.0 <=3.0.3
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring HATEOAS is a library for building hypermedia-driven REST APIs on top of the Spring Framework, providing model types such as RepresentationModel, EntityModel, and CollectionModel along with serializers and deserializers for several hypermedia media types, including HAL, Collection+JSON (application/vnd.collection+json), and UBER (application/vnd.amundsen-uber+json). When an application accepts one of these media types as a request body, the corresponding Spring HATEOAS Jackson module deserializes the incoming document back into the application's model objects.

A high-severity vulnerability (CVE-2026-41006) has been identified in the Collection+JSON and UBER deserializers. Both deserializers reconstruct domain objects through PropertyUtils.createObjectFromProperties, which binds incoming values onto JavaBean setters using plain reflection without consulting the active Jackson configuration. As a result, the Jackson access controls and customizations an application relies on to protect security-sensitive properties (for example @JsonProperty(access = READ_ONLY), setter-side @JsonIgnore, @JsonIgnoreProperties, mix-ins, and the mapper's deserialization features) are ignored on these two media-type code paths. A remote client can therefore set properties that the application configured Jackson to reject, driving a deserialized model into a state the application assumed was unreachable.

Per OWASP: secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. When a deserialization path enforces its own ad hoc reflection-based binding instead of honoring the centrally configured Jackson access controls, the protection the application believes it has declared is silently not applied, which is exactly the kind of design-level access-control gap this category warns about.

The CVSS v3.1 base score for this vulnerability is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack vector is Network because the malicious document arrives over an ordinary HTTP request, attack complexity is Low and no privileges or user interaction are required because any client that can reach an affected endpoint can submit the payload, and the impact is Availability-only and High because the unguarded property binding can force the model into an invalid state. There is no confidentiality or integrity disclosure impact, and the advisory does not describe a polymorphic-deserialization or gadget-chain path, so this is an access-control bypass on the deserialization path rather than remote code execution.

This issue affects Spring HATEOAS >=1.3.0 <=1.3.7, >=1.5.0 <=1.5.6, >=2.2.0 <=2.2.5, >=2.3.0 <=2.3.4, >=2.4.0 <=2.4.1, >=2.5.0 <=2.5.2, and >=3.0.0 <=3.0.3.

Details

Module Info

Vulnerability Info

The vulnerability is in PropertyUtils.createObjectFromProperties in the org.springframework.hateoas.mediatype package, which is invoked by the Collection+JSON deserializers in org.springframework.hateoas.mediatype.collectionjson (Jackson2CollectionJsonModule and CollectionJsonItem.toRawData) and the UBER deserializers in org.springframework.hateoas.mediatype.uber (Jackson2UberModule). These deserializers run whenever an application has enabled the Collection+JSON or UBER hypermedia types and a controller accepts a RepresentationModel subclass or an EntityModel as a request body.

Pre-fix, createObjectFromProperties accepts a raw Class and binds every entry of the parsed property map directly onto the matching JavaBean setter via reflection. It never touches the active Jackson DeserializationContext or ObjectMapper, so any access control the application configured through Jackson is bypassed

public static <T> T createObjectFromProperties(Class<T> clazz, Map<String, Object> properties) {

    T obj = BeanUtils.instantiateClass(clazz);

    properties.forEach((key, value) -> {
        Optional.ofNullable(BeanUtils.getPropertyDescriptor(clazz, key)) //
                .ifPresent(property -> {

                    try {

                        Method writeMethod = property.getWriteMethod();
                        ReflectionUtils.makeAccessible(writeMethod);
                        writeMethod.invoke(obj, value);

                    } catch (IllegalAccessException | InvocationTargetException e) {
                        throw new RuntimeException(e);
                    }
                });
    });

    return obj;
}

The deserializers call this method with the raw class of the target type, for example in Jackson2CollectionJsonModule:

RepresentationModel<?> resourceSupport = (RepresentationModel<?>) PropertyUtils
        .createObjectFromProperties(this.contentType.getRawClass(), properties);

and in CollectionJsonItem.toRawData:

return PropertyUtils.createObjectFromProperties(javaType.getRawClass(), //
        this.data.stream() //
                .collect(Collectors.toMap(CollectionJsonData::getName, CollectionJsonData::getValue)));

with equivalent call sites in Jackson2UberModule.convertToResourceSupport and convertToResource. Because binding goes through BeanUtils.getPropertyDescriptor plus writeMethod.invoke, a setter is invoked for any property name the document supplies whose setter exists, regardless of whether Jackson would have treated that property as read-only, ignored, or otherwise not bindable. An application that protects a security-sensitive property solely through Jackson annotations (the documented and supported way to do so) therefore loses that protection for requests that arrive as Collection+JSON or UBER, while the same payload submitted as plain JSON or HAL would be correctly rejected by the standard Jackson pipeline.

Mitigation

Only recent versions of Spring HATEOAS receive community support and updates. The OSS fixes are limited to the 2.5.x and 3.0.x lines. Older versions have no publicly available OSS fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring HATEOAS. The OSS fix ships in Spring HATEOAS 2.5.3 (2.5.x line) and 3.0.4 (3.0.x line).
  • If an upgrade is not immediately possible on an affected deployment, and the application does not require the Collection+JSON or UBER hypermedia types, disable those media types so the affected deserializers are not registered, and continue to use HAL or plain JSON, which deserialize through the standard Jackson pipeline.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring HATEOAS.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41006
PROJECT Affected
Spring HATEOAS
Versions Affected
>=1.3.0 <=1.3.7, >=1.5.0 <=1.5.6, >=2.2.0 <=2.2.5, >=2.3.0 <=2.3.4, >=2.4.0 <=2.4.1, >=2.5.0 <=2.5.2, >=3.0.0 <=3.0.3
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Incorrectly Configured Access Control
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.