High

Spring Data REST JSON Patch write-access filter bypass on nested objects

IdentifiersCVE-2026-41728CWE-863

CVE-2026-41728 is a high-severity integrity flaw in Spring Data REST's JSON Patch handling for the application/json-patch+json media type. When resolving a multi-segment JSON Pointer, the implementation does not apply the write-access filter to intermediate path segments. As a result, Jackson read-only property protections on nested objects, collections, and maps can be bypassed. The issue affects applications whose domain model exposes a container property marked read-only at the Jackson level, while nested element types or inner fields do not have equivalent restrictions. An attacker can craft JSON Patch operations that traverse a protected parent path and modify nested state that should not be writable through the REST interface. Affected versions are Spring Data REST 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5; unsupported versions are also reported as affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized modification of application data that developers intended to protect with Jackson read-only annotations or equivalent write restrictions. The primary consequence is loss of integrity: attackers can alter nested object members, collection elements, or map-backed content reachable through a read-only container property. The provided CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) indicates remote exploitation with no privileges or user interaction and high integrity impact, with no stated confidentiality or availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling or restricting JSON Patch support (application/json-patch+json) on affected endpoints, especially those exposing nested objects, collections, or maps. Review domain models for read-only container properties whose nested element types remain writable, and enforce equivalent restrictions at inner fields or types where feasible. Limit unauthenticated network access to vulnerable REST endpoints and monitor for suspicious JSON Patch requests targeting multi-segment paths.

Remediation

Patch, then assume compromise.

Upgrade Spring Data REST to a fixed version appropriate for the deployed branch: 3.7.20, 4.3.17, 4.4.15, 4.5.12, or 5.0.6. Unsupported versions should be assumed vulnerable and moved to a supported fixed release. Validate that JSON Patch behavior after upgrade correctly enforces write-access restrictions across full multi-segment JSON Pointer resolution paths.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomSpring Data Restapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

security online infoNews

Jun 11, 2026

Spring Data Vulnerabilities: Patch 5 Critical Flaws Now

A vulnerability in Spring Data that bypasses Jackson read-only property protections on nested objects, undermining intended data-binding restrictions.

springNews

Jun 9, 2026

CVE-2026-41728: Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections

A Spring Data REST vulnerability in JSON Patch handling that bypasses Jackson read-only property protection on nested objects and collections, allowing modification of data that should be treated as read-only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41728

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41728

MITRE CWE · CWE-863

cwe.mitre.org

spring.io

spring.io/security/cve-2026-41728