CVE-2026-41837: Spring Data REST Improper Access Control in Querydsl Filtering
Spring Data REST's filtering feature bypasses Jackson customizations when processing user-supplied filter parameters, potentially allowing attackers to access sensitive object properties that should be restricted. An unauthenticated attacker can craft malicious filter requests to extract unauthorized information from the application's data layer without modifying or disrupting service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-17
NVD description (verbatim)
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
Spring Data REST versions 3.7.0–3.7.19, 4.3.0–4.3.16, 4.4.0–4.4.14, 4.5.0–4.5.11, and 5.0.0–5.0.5 contain an improper access control vulnerability in the Querydsl integration. The vulnerability stems from the framework accepting arbitrary persistent property paths as request-parameter filter keys and passing them directly to Querydsl without first applying Jackson serialization filters, mixins, or custom property exclusion rules. This allows attackers to circumvent application-level property visibility controls and query object graph paths that developers intended to hide.
Business impact
Organizations running affected Spring Data REST versions expose sensitive data to unauthorized access through REST API queries. Depending on the application's data model, attackers could extract customer records, internal configuration, personally identifiable information, or other confidential properties. This breach of confidentiality can lead to regulatory penalties, loss of customer trust, and operational disclosure of sensitive business logic. The lack of authentication requirement (network-accessible APIs) significantly widens the attack surface.
Affected systems
Spring Data REST versions: 3.7.0–3.7.19; 4.3.0–4.3.16; 4.4.0–4.4.14; 4.5.0–4.5.11; 5.0.0–5.0.5. Applications using Spring Data REST's Querydsl filtering capabilities to expose repository endpoints via REST are vulnerable. Versions prior to 3.7.0 and any patched versions outside these ranges are not affected.
Exploitability
This vulnerability requires no authentication, no complex setup, and no user interaction—it can be exploited via a simple HTTP request with crafted filter parameters. An attacker with network access to the REST API can immediately begin probing and extracting data. The attack surface is large because Spring Data REST is commonly used in microservice architectures and cloud deployments. However, exploitation requires prior knowledge of the object model and property names, which somewhat limits automated mass exploitation.
Remediation
Update Spring Data REST to a patched version. Verify the exact patched version numbers with VMware's official Spring Data REST security advisory, as patch versions differ by release line. Alternatively, disable Querydsl filtering if it is not needed, or implement additional authorization filters in the application layer to restrict query-able properties. Review any logs for suspicious filter requests using unusual property paths post-disclosure.
Patch guidance
Consult VMware's official Spring Data REST security advisory to obtain the exact patched version numbers for each release line. After patching, perform smoke tests on REST endpoints that accept filter parameters to ensure filtering still functions correctly. In multi-module projects, ensure all transitive dependencies on Spring Data REST are updated consistently. Consider deploying to a staging environment first to validate compatibility with custom Jackson configurations.
Detection guidance
Monitor HTTP request logs for Querydsl filter parameters (typically found in query strings or request bodies) that reference unusual or deeply nested object properties, or properties known to be sensitive (e.g., password, secret, internal_id). Search for requests with filter syntax accessing properties that are not part of your API's documented schema. Implement WAF rules to block filter requests containing suspicious property paths. Review application startup logs to confirm the Spring Data REST version in use.
Why prioritize this
Although this vulnerability carries a CVSS 5.3 (Medium) score reflecting limited scope and confidentiality-only impact, it demands prompt attention because it is unauthenticated, network-exposed, and affects data confidentiality in a widely-used framework. The lack of KEV listing does not diminish the risk—many organizations rely on Spring Data REST, and the attack is trivial to execute once known. Prioritize patching production systems within 30 days, especially those handling sensitive customer or financial data.
Risk score, explained
The CVSS 5.3 score reflects an unauthenticated network attack (AV:N, PR:N), low attack complexity (AC:L), no user interaction required (UI:N), confidentiality impact in the availability boundary (C:L), and no integrity or availability impact (I:N, A:N). The score is elevated by the lack of authentication and ease of exploitation, but constrained by the fact that unauthorized information disclosure alone does not cause system-wide disruption or allow data modification.
Frequently asked questions
Does this vulnerability allow an attacker to modify or delete data?
No. The vulnerability permits reading sensitive properties without authorization, but does not enable modification, deletion, or injection attacks. Integrity and availability of data remain intact.
Do I need to patch immediately if my Spring Data REST APIs are behind authentication?
While authentication is an additional control layer, it is not a substitute for fixing the root cause. An authenticated user could still exploit this to access properties within objects they should not see. Patching is still required; authentication is a defense-in-depth measure, not a remediation.
How do I know if my application uses Querydsl filtering?
Check your Spring Data REST configuration, repository interfaces, and REST controller annotations. If you explicitly enable Querydsl filters or use Spring Data REST's default filtering with QuerydslPredicate, you are potentially affected. Review your pom.xml or build.gradle for spring-data-rest and querydsl dependencies.
Are there workarounds if I cannot patch immediately?
Disable Querydsl filtering at the application level if not required, or add an application-layer authorization filter that validates and restricts which properties can be queried. However, these are temporary measures; patching is the proper fix.
This analysis is provided for informational purposes and based on publicly disclosed vulnerability data. The information herein is not a substitute for independent security assessment or vendor guidance. Verify all patch version numbers, affected product versions, and remediation steps against the official VMware Spring Data REST security advisory before deploying patches. The absence of CVE-2026-41837 from the CISA Known Exploited Vulnerabilities (KEV) catalog does not indicate absence of real-world exploitation risk. Organizations should conduct their own risk assessment based on their deployment topology, data sensitivity, and exposure to untrusted networks. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41847MEDIUMSpring WebFlux Kotlin Router DSL Security Bypass (CVSS 4.8)
- CVE-2026-41006HIGHSpring HATEOAS Jackson Access-Control Bypass Denial of Service
- CVE-2026-41728HIGHSpring Data REST JSON Patch Authorization Bypass
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0