CVE-2026-41006
Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
13th
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
| CWE | CWE-284 |
| Vendor | spring |
| Product | spring hateoas |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for spring spring hateoas
Be the first to know when new high vulnerabilities affecting spring spring hateoas are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Spring / Spring HATEOAS
1.5.0 < 1.5.7 2.3.0 < 2.3.5 2.4.0 < 2.4.2 2.5.0 < 2.5.3 3.0.0 < 3.0.4