CVE-2026-41856
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Spring for GraphQL is a project that integrates the GraphQL Java engine with the Spring application framework, providing server transports and an annotation-based controller programming model for building GraphQL APIs.
A high-severity vulnerability (CVE-2026-41856) has been identified in the framework's annotation detection mechanism for @Controller data fetchers. Annotations declared on handler methods within type hierarchies, such as generic interfaces, may not be correctly resolved at runtime. When such annotations are used for authorization decisions together with Spring Security's method security, the security annotations can be silently ignored, allowing requests to reach data fetchers without the intended authorization checks.
Per OWASP, this class of issue is a form of broken access control. Access control enforces policy such that users cannot act outside of their intended permissions, and failures typically lead to unauthorized information disclosure, modification, or destruction of data.
This issue affects versions >=1.0.2 <=1.0.6, >=1.2.0 <=1.2.9, >=1.3.0 <=1.3.8, >=1.4.0 <=1.4.5 and >=2.0.0 <=2.0.3 of Spring for GraphQL.
Details
Module Info
- Product: Spring for GraphQL
- Affected packages: spring-graphql
- Affected versions: >=1.0.2 <=1.0.6, >=1.2.0 <=1.2.9, >=1.3.0 <=1.3.8, >=1.4.0 <=1.4.5, >=2.0.0 <=2.0.3
- GitHub repository: https://github.com/spring-projects/spring-graphql
- Published packages: https://central.sonatype.com/artifact/org.springframework.graphql/spring-graphql
- Package manager: Maven
- Fixed in:
- NES for Spring for GraphQL 1.0.x, 1.2.x, 1.3.x
- Spring for GraphQL 2.0.4, 1.4.6 (OSS)
Vulnerability Info
Spring for GraphQL maps GraphQL fields to annotated @Controller handler methods through its HandlerMethod infrastructure. To support annotations declared on interfaces, HandlerMethod inspects every interface implemented by the controller class and collects annotations from each interface method that it considers an override of the invoked handler method. That decision is made by the private isOverrideFor method, which compares the candidate interface method's parameter types against the handler method's parameter types:
private boolean isOverrideFor(Method candidate) {
if (!candidate.getName().equals(this.method.getName()) ||
candidate.getParameterCount() != this.method.getParameterCount()) {
return false;
}
Class<?>[] paramTypes = this.method.getParameterTypes();
if (Arrays.equals(candidate.getParameterTypes(), paramTypes)) {
return true;
}
for (int i = 0; i < paramTypes.length; i++) {
if (paramTypes[i] !=
ResolvableType.forMethodParameter(candidate, i, this.method.getDeclaringClass()).resolve()) {
return false;
}
}
return true;
}
The comparison relies on ResolvableType.resolve(), which returns null when a generic type variable cannot be fully resolved against the controller's declaring class. This happens in type hierarchies that use generics, for example a controller class that extends an abstract base class implementing a generic interface. In that case the erased parameter type of the concrete method never matches the null result, isOverrideFor returns false, and the interface method is not recognized as being overridden. Any annotations declared on that interface method's parameters are then silently dropped instead of being applied to the handler method's parameters.
An application is vulnerable when all of the following are true:
- The application has Spring Security on the classpath
- The application relies on Spring Security's @EnableMethodSecurity feature for security checks
- The application implements @Controller classes within type hierarchies
When all of these conditions are met, security annotations that the application expects to protect its GraphQL data fetchers can be silently ignored at runtime, leaving the affected operations without their intended authorization checks.
This vulnerability was introduced in 2022 with Spring for GraphQL 1.0.2.
Mitigation
Spring for GraphQL 1.0.x, 1.1.x, 1.2.x, and 1.3.x are End-of-Life and no longer receive open source updates; these lines have no publicly available fix for this vulnerability. For more information about Spring's support timelines, see https://spring.io/projects/spring-graphql.
Recommended actions:
- Upgrade to a fixed, supported version of Spring for GraphQL: 2.0.4 or 1.4.6, or later.
- If upgrading is not feasible, use a commercial support partner like HeroDevs, whose Never-Ending Support (NES) for Spring for GraphQL provides a drop-in replacement with this vulnerability patched.
Credits
- Bofei Chen (finder)
