CVE-2026-41699

CRITICAL WAF: Medium

CVSS 9.8 Published: 2026-06-11

CWE-502

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

WAF Coverage Analysis

Insecure Deserialization Medium WAF Coverage

OWASP: A08:2021 Software and Data Integrity Failures

944xxx - Java Attack

Affected Software

Vendor	Product	Version
vmware	spring_for_graphql	1.3.0 - 1.3.9
vmware	spring_for_graphql	1.4.0 - 1.4.6
vmware	spring_for_graphql	2.0.0 - 2.0.4

References

spring.io (Vendor Advisory)

Back to CVE Database