View all Vulnerabilities

CVE-2026-41837

Information Exposure
Affects
Spring Data REST
in
Spring
No items found.
Versions
>=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data REST is a Spring Data module that automatically exposes repositories as hypermedia-driven REST resources, including optional Querydsl-backed filtering of collection resources through request parameters. When a repository implements QuerydslPredicateExecutor, Spring Data REST turns query-string parameters into Querydsl predicates so clients can filter results, for example GET /users?lastname=Smith.

A medium-severity vulnerability (CVE-2026-41837) has been identified in Spring Data REST. Querydsl's default bindings permit filtering on every persistent property of the domain type, and the framework derives which fields are public from Jackson annotations on that type. The affected code accepts arbitrary persistent property paths as filter keys and hands the raw request-parameter map to Querydsl without first consulting those Jackson customizations. A persistent field that the application has hidden from its JSON representation with @JsonIgnore therefore remains usable as a server-side filter key, and a field renamed with @JsonProperty is not addressable under its public alias. An unauthenticated remote attacker can filter on a hidden field and observe whether matching records exist, turning a field whose value is never serialized into a confidentiality oracle.

Per OWASP, sensitive information disclosure occurs when an application allows data to be accessed by an actor that is not explicitly authorized to have access, leaking it through unintended channels even when it is never displayed directly. This issue is that pattern applied to filtering: a field excluded from responses is still queryable, so its presence can be inferred from filtered result sets.

This issue affects >=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, and >=5.0.0 <=5.0.5 of Spring Data REST. Versions that are no longer supported are also affected.

Details

Module Info

Vulnerability Info

When a repository is exposed with Querydsl support, Spring Data REST resolves the request-parameter map into a Querydsl Predicate in QuerydslAwareRootResourceInformationHandlerMethodArgumentResolver. The affected code forwards the parameter map straight to the predicate builder, so every persistent property path is accepted as a filter key regardless of how the domain type is exposed through Jackson:

private Optional<Pair<QuerydslPredicateExecutor<?>, Predicate>> getRepositoryAndPredicate(
        QuerydslPredicateExecutor<?> repository, Class<?> domainType, Map<String, String[]> parameters) {

    TypeInformation<?> type = TypeInformation.of(domainType);

    QuerydslBindings bindings = factory.createBindingsFor(type);
    Predicate predicate = predicateBuilder.getPredicate(type, toMultiValueMap(parameters), bindings);

    return Optional.ofNullable(predicate).map(it -> Pair.of(repository, it));
}

Querydsl's default bindings are permit-all: any persistent property is a valid filter key. Because the parameters map is passed through untouched, a request keyed on a field annotated with @JsonIgnore, such as a hidden ssn field, is still translated into a predicate and applied to the query. The matching records are filtered server-side even though the field is never serialized back to the client, so the size and contents of the filtered response disclose whether records with a given hidden-field value exist. Likewise, a field renamed for serialization with @JsonProperty("renamed") cannot be filtered under its public alias because the resolver works only on the raw persistent property name.

This vulnerability has been present since at least Spring Data REST 3.5 and likely earlier.

Mitigation

Spring Data REST 3.5.x, 3.7.x, 4.2.x, 4.3.x, and 4.4.x are End-of-Life in open source and will not receive further OSS security updates; see https://spring.io/projects/spring-data-rest for the support timeline. HeroDevs does not recommend that users attempt to develop and apply their own source patches to End-of-Life software.

The recommended actions are:

  1. Upgrade to a supported, fixed release. The issue is fixed in OSS in Spring Data REST 4.5.12 and 5.0.6.
  2. For End-of-Life lines that cannot be upgraded, HeroDevs Never-Ending Support (NES) for Spring Data REST provides a drop-in replacement that backports this fix while remaining compatible with the affected versions. Learn more about HeroDevs Never-Ending Support for Spring Data REST and request coverage at https://www.herodevs.com/support/spring-nes.

As an interim measure, applications can implement QuerydslBinderCustomizer on each affected repository and call bindings.excludeUnlistedProperties(true) together with an explicit allow-list of filterable property paths.

Credits

  • This issue was resolved by the Spring Data team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-41837
PROJECT Affected
Spring Data REST
Versions Affected
>=3.5.0 <=3.5.12, >=3.7.0 <=3.7.19, >=4.2.0 <=4.2.12, >=4.3.0 <=4.3.16, >=4.4.0 <=4.4.14, >=4.5.0 <=4.5.11, >=5.0.0 <=5.0.5
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.