Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41006: Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration
Description
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations.
Affected applications are those that have enabled the COLLECTION_JSON or UBER hypermedia type (via @EnableHypermediaSupport or auto-configuration), expose a controller accepting a RepresentationModel subclass or EntityModel as @RequestBody, and whose bound model type exposes a setter for a security-sensitive property protected only through Jackson annotations rather than by the absence of a setter.
Affected Spring Products and Versions
Spring HATEOAS:
- 1.5.0 - 1.5.6
- 2.3.0 - 2.3.4
- 2.4.0 - 2.4.1
- 2.5.0 - 2.5.2
- 3.0.0 - 3.0.3
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 1.5.x | 1.5.7 | Enterprise Support Only |
| 2.3.x | 2.3.5 | Enterprise Support Only |
| 2.4.x | 2.4.2 | Enterprise Support Only |
| 2.5.x | 2.5.3 | OSS |
| 3.0.x | 3.0.4 | OSS |
References
History
- 2026-06-02: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all