Threat Advisory

Spring GraphQL Vulnerability Allows Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Spring GraphQL (versions prior to the latest maintenance releases) and related Spring Integration modules. The flaws span unsafe deserialization, session hijacking, annotation bypass, insecure message header handling, and path traversal, collectively enabling remote code execution, unauthorized data manipulation, and server compromise. Exploitation can occur over public HTTP or WebSocket channels without authentication, allowing attackers to execute arbitrary code, hijack user sessions, or write files to critical systems. For organizations relying on Spring-based microservices, these weaknesses threaten data integrity, service availability, and regulatory compliance, underscoring a heightened risk to core business operations.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Spring GraphQL (versions prior to the latest maintenance releases) and related Spring Integration modules. The flaws span unsafe deserialization, session hijacking, annotation bypass, insecure message header handling, and path traversal, collectively enabling remote code execution, unauthorized data manipulation, and server compromise. Exploitation can occur over public HTTP or WebSocket channels without authentication, allowing attackers to execute arbitrary code, hijack user sessions, or write files to critical systems. For organizations relying on Spring-based microservices, these weaknesses threaten data integrity, service availability, and regulatory compliance, underscoring a heightened risk to core business operations.[emaillocker id="1283"]

  • CVE-2026-41699 – An unsafe deserialization flaw allows an unauthenticated attacker to supply crafted payloads over HTTP, leading to remote code execution by bypassing type restriction checks.
  • CVE-2026-41700 – A session validation weakness enables cross‑site WebSocket hijacking, where a malicious page can trick authenticated users into performing unauthorized actions.
  • CVE-2026-41732 – Similar header validation issues in Pulsar components allow attackers to inject classes and compromise the messaging layer.
  • CVE-2026-40987 – A path traversal defect in the Spring Integration synchronizer module enables writing arbitrary files outside intended directories, risking data leakage and system integrity.

• CVE-2026-41856 – An annotation detection bug permits the runtime to ignore security annotations in complex type hierarchies, potentially bypassing access controls. • CVE-2026-41731 – Overly permissive package matching in Kafka message streams lets malicious producers send crafted headers that trigger arbitrary class execution. These vulnerabilities collectively present an urgent risk of system compromise, data breach, and service disruption. If exploited, attackers can gain control of critical services, alter or exfiltrate sensitive information, and undermine compliance obligations, demanding immediate executive attention.

RECOMMENDATION:

  • We recommend you to update Kafka to version 4.0.6. We recommend you to update Pulsar to version 2.0.6. We recommend you to update local file synchronization packages to version 7.0.5.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/spring-graphql-security-patches/

[/emaillocker]
crossmenu