CVE Catalog

CVE-2026-41837

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

A vulnerability in Spring Data REST allows an attacker to pass arbitrary persistent property paths as request parameter filter keys without considering Jackson customizations before handing them to Querydsl. This could lead to unauthorized data access or data leakage.

Risk Assessment

The organization is at risk of sensitive data exposure through manipulation of REST query parameters, potentially compromising data confidentiality and integrity.

Recommendation

Immediately upgrade Spring Data REST to version 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6 depending on the branch used, and review Jackson configuration for custom filters.

Original NVD description (English source)

Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS