Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreCVE-2026-41699: Unsafe Deserialization in Spring GraphQL
Description
Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries.
More precisely, an application is vulnerable when all the following are true:
- the application is using Spring GraphQL
- the application exposes a paginated (Connection) field
- the application's classpath contains specific classes that can be leveraged to execute unintended logic during instantiation or deserialization
When all the conditions above are met, an attacker can craft a malicious GraphQL request that can lead to Remote Code Execution.
Affected Spring Products and Versions
Spring for GraphQL:
- 2.0.0 - 2.0.3
- 1.4.0 - 1.4.5
- 1.3.0 - 1.3.8
Versions that are no longer supported are also affected.
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 2.0.x | 2.0.4 | OSS |
| 1.4.x | 1.4.6 | OSS |
| 1.3.x | 1.3.9 | Commercial |
No further mitigation steps are necessary.
Credit
This issue was discovered internally.
References
History
- 2026-06-10: Initial vulnerability report published.
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy
Get support
Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.
Learn moreUpcoming events
Check out all the upcoming events in the Spring community.
View all