CVE-2026-41728
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring Data REST is a Spring project that automatically exposes Spring Data repositories as hypermedia-driven RESTful resources, including support for partial updates through JSON Patch (application/json-patch+json).
A high-severity vulnerability (CVE-2026-41728) has been identified in Spring Data REST's JSON Patch implementation. When resolving a multi-segment JSON Pointer, the write-access filter is applied only to the final path segment; the intermediate container segments are validated with the read filter instead. As a result, a property whose container (an embeddable object, a collection, or a map) is marked read-only at the Jackson level can still be mutated through a PATCH request when the inner element type carries no per-field write restriction, defeating the intended read-only protection.
Per OWASP, improper authorization occurs when an application does not correctly enforce restrictions on what an authenticated actor is allowed to do, allowing operations such as modifying records the actor should only be able to read.
This issue affects versions >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data REST.
Details
Module Info
- Product: Spring Data REST
- Affected packages: spring-data-rest-webmvc
- Affected versions: >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
- GitHub repository: https://github.com/spring-projects/spring-data-rest
- Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-rest-webmvc
- Package manager: maven
- Fixed in:
- NES for Spring Data REST
- Spring Data REST 5.0.6, 4.5.12 (OSS)
Vulnerability Info
Spring Data REST translates a JSON Pointer in a JSON Patch operation into a property path against the target domain type, verifying access for each segment before the patch is applied. Read access is resolved through a readable-property filter and write access through a writable-property filter.
When verifying a multi-segment pointer, the access check applied the writable-property filter only to the final segment of the pointer and used the readable-property filter for every preceding (container) segment:
String property = (i == strings.length - 1 ? filter : reader)
.apply(segment, currentType.getType())
.orElseThrow(() -> reject(segment, rejectType, pointer, qualifier));
For a write operation the writable-property filter is supplied as filter, but because it was only consulted for the leaf segment, a container marked read-only at the Jackson level was checked for read access rather than write access. A PATCH targeting a pointer such as /embedded/innerField therefore bypassed the read-only protection on the embedded container whenever innerField itself had no per-field write restriction, allowing the attacker to write through an object, collection, or map that was intended to be immutable. Single-segment pointers were not affected because their only segment is the final one.
This vulnerability has been present since at least Spring Data REST 3.5 and likely earlier.
Mitigation
Spring Data REST 3.5.x, 3.7.x, 4.2.x, 4.3.x, and 4.4.x are End-of-Life community lines and will not receive public security fixes for this issue. See https://spring.io/projects/spring-data-rest#support for support timelines.
Do not attempt to self-patch the affected versions. HeroDevs recommends:
- Upgrade to a supported, fully patched version of Spring Data REST.
- For applications that must remain on an End-of-Life line, use HeroDevs Never-Ending Support (NES) for Spring Data REST, which provides a drop-in replacement with this vulnerability fixed. Learn more about HeroDevs Never-Ending Support for Spring Data REST and request coverage at https://www.herodevs.com/support/spring-nes
