SPRING DATA REST 3.x5.0.x Querydsl Path Traversal via ARB PROP Keys
CVE-2026-41837 Published on June 9, 2026
Spring Data REST Querydsl integration exposes Jackson-hidden persistent fields as filter keys
Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl.
Affected versions:
Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Vulnerability Analysis
CVE-2026-41837 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-41837 has been classified to as an Authorization vulnerability or weakness.
Affected Versions
Spring Data REST:- Version 3.7.0 and below 3.7.20 is affected.
- Version 4.3.0 and below 4.3.17 is affected.
- Version 4.4.0 and below 4.4.15 is affected.
- Version 4.5.0 and below 4.5.12 is affected.
- Version 5.0.0 and below 5.0.6 is affected.