Spring Security Advisories

RSS feed

CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

HIGH | JUNE 09, 2026 | CVE-2026-41728

Description

Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.

Affected applications are those whose domain model includes an embeddable object, collection, or map property whose container is marked read-only at the Jackson level while the inner element type carries no per-field restriction.

Affected Spring Products and Versions

Spring Data REST:

  • 3.7.0 - 3.7.19
  • 4.3.0 - 4.3.16
  • 4.4.0 - 4.4.14
  • 4.5.0 - 4.5.11
  • 5.0.0 - 5.0.5

Versions that are no longer supported are also affected.

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
3.7.x 3.7.20 Commercial
4.3.x 4.3.17 Commercial
4.4.x 4.4.15 Commercial
4.5.x 4.5.12 OSS
5.0.x 5.0.6 OSS

References

History

  • 2026-06-09: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all