CVE-2026-41006: Spring HATEOAS Jackson Access-Control Bypass Denial of Service
Spring HATEOAS contains a flaw in how it processes certain API response formats (Collection+JSON and UBER). When deserializing these formats, the library uses an internal method that bypasses Jackson's security controls, allowing it to bind properties to Java objects without respecting restrictions that developers have intentionally put in place. This can be exploited to set properties that shouldn't be settable, potentially causing availability issues.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-27
NVD description (verbatim)
Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41006 affects Spring HATEOAS's PropertyUtils.createObjectFromProperties method, which is invoked during deserialization of Collection+JSON and UBER media types. The vulnerability stems from the method performing bean property binding via reflection while ignoring Jackson annotations that control property access—such as @JsonIgnore or @JsonProperty with specific configurations. An attacker sending a crafted request with these media types can cause the deserializer to set internal object properties, leading to denial of service through resource exhaustion or application crashes. The root cause is a bypass of the access-control layer that Jackson provides.
Business impact
Availability disruption is the primary risk. Attackers can craft requests using vulnerable media types to crash services or exhaust resources, resulting in denial of service. Organizations relying on Spring HATEOAS for REST APIs that accept Collection+JSON or UBER formatted input face potential service outages without patching. The impact is exacerbated in public-facing or high-traffic environments where untrusted clients can submit requests.
Affected systems
Spring HATEOAS versions 1.5.0–1.5.6, 2.3.0–2.3.4, 2.4.0–2.4.1, 2.5.0–2.5.2, and 3.0.0–3.0.3 are vulnerable. This affects any application that includes Spring HATEOAS as a dependency and exposes endpoints accepting Collection+JSON or UBER media types. Organizations should check their dependency trees for transitive inclusions of affected versions, particularly in microservices and API gateway deployments.
Exploitability
The vulnerability has a CVSS score of 7.5 (HIGH) with a network-based, low-complexity attack vector requiring no authentication or user interaction. Exploitation does not require credentials and can be triggered by sending a single HTTP request with a malicious payload in the vulnerable media format. The bar to attack is low, but successful exploitation requires the application to accept and process Collection+JSON or UBER formatted requests—not all Spring HATEOAS deployments may expose these formats by default.
Remediation
Upgrade Spring HATEOAS to patched versions. For each affected branch, vendors have released fixes that restore Jackson's access-control checks to the deserialization path. Verify the specific patch version applicable to your version line in the official VMware Spring HATEOAS advisory. As an interim mitigation, disable or restrict access to Collection+JSON and UBER media type handlers if they are not required for your application.
Patch guidance
Contact VMware or consult the Spring HATEOAS security advisory for the exact patch versions for each affected line (1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x). After patching, perform dependency verification and automated testing to confirm Jackson's access-control annotations are now respected. Prioritize patching in development and staging environments first, then roll out to production following your organization's change management process.
Detection guidance
Monitor incoming HTTP requests for Collection+JSON (application/vnd.collection+json) and UBER (application/vnd.uber+json) content types targeting your Spring HATEOAS endpoints. Log and alert on unusual request patterns or media type usage if those formats are not part of your normal operations. Application log monitoring for deserialization errors or sudden resource spikes can also indicate exploitation attempts. Web application firewalls can be tuned to flag or block these specific media types if not needed.
Why prioritize this
This is a HIGH-severity, unauthenticated denial-of-service vulnerability with a straightforward attack vector. While it does not enable data exfiltration or code execution, the ease of exploitation and wide availability of network-accessible Spring HATEOAS deployments warrant rapid patching. Organizations should treat this as a priority in their patch schedules, particularly for internet-facing systems.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects high network accessibility, low attack complexity, and lack of authentication requirements. However, the impact is limited to availability (denial of service), not confidentiality or integrity. The score appropriately captures a serious but not catastrophic risk—denial of service can disrupt business continuity, but does not lead to data theft or system compromise. This score justifies prioritized but not emergency-only patching.
Frequently asked questions
Does this vulnerability require the application to explicitly enable Collection+JSON or UBER media types?
Collection+JSON and UBER are not universally enabled by default in all Spring HATEOAS configurations. However, if your application has enabled or configured these media type handlers—whether explicitly or through auto-configuration—it is vulnerable when accepting requests in those formats. Review your Spring configuration and content negotiation settings to confirm whether these formats are in use.
Can this vulnerability be exploited by unauthenticated remote attackers?
Yes. The vulnerability requires no authentication, credentials, or user interaction. Any attacker with network access to an affected endpoint can craft and send a malicious request. This makes it suitable for automated scanning and exploitation at scale.
Will upgrading Spring HATEOAS automatically protect my application?
Patched versions restore Jackson's access-control checks, closing the bypass. However, you must rebuild and redeploy your application with the updated dependency. Verify the patch version against your vendor advisory and confirm the fix is included before considering the vulnerability resolved in your environment.
What if my organization does not currently use Collection+JSON or UBER formats?
If these media types are not actively used or exposed by your application, the attack surface is narrower. However, you should still patch to prevent future misconfigurations or accidental enablement. If they are not in use, consider disabling these media type handlers entirely as an additional hardening measure.
This analysis is provided for informational purposes to assist security professionals in risk assessment and patching decisions. Specific patch versions, compatibility details, and production deployment timelines should be verified against official VMware Spring HATEOAS security advisories and your organization's change management policies. SEC.co makes no warranty regarding the completeness or timeliness of this information. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41847MEDIUMSpring WebFlux Kotlin Router DSL Security Bypass (CVSS 4.8)
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-11344HIGHUnrestricted File Upload in code-projects Vehicle Management System 1.0
- CVE-2026-11474HIGHUnrestricted File Upload in Kushan2k Student Management System
- CVE-2026-32995HIGHRocket.Chat DDP Authentication Bypass Exposes All Private Messages
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-37235HIGHFlexRIC E42 Message Authentication Bypass – RIC Denial of Service