CVE-2026-41006: Spring HATEOAS Auth Bypass Vulnerability

CVE-2026-41006 Overview

CVE-2026-41006 affects Spring HATEOAS, a library used to build hypermedia-driven REST APIs in Spring applications. The vulnerability resides in the internal PropertyUtils.createObjectFromProperties method, which is used by the Collection+JSON and UBER media type deserializers. This method performs bean property binding via Java reflection without consulting Jackson access-control annotations such as @JsonIgnore or @JsonProperty(access = READ_ONLY). Attackers can set properties that application developers intended to mark as read-only or hidden from deserialization. The flaw is categorized under [CWE-284] Improper Access Control.

Critical Impact
Remote attackers can bypass Jackson access-control annotations to bind unintended bean properties through Collection+JSON or UBER media type requests, leading to availability impact on affected Spring HATEOAS applications.

Affected Products

Spring HATEOAS 1.5.0 through 1.5.6
Spring HATEOAS 2.3.0 through 2.3.4, 2.4.0 through 2.4.1, and 2.5.0 through 2.5.2
Spring HATEOAS 3.0.0 through 3.0.3

Discovery Timeline

2026-06-09 - CVE-2026-41006 published to NVD
2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-41006

Vulnerability Analysis

Spring HATEOAS provides deserializers for hypermedia formats including Collection+JSON and UBER. These deserializers route incoming JSON payloads through the internal PropertyUtils.createObjectFromProperties helper. The helper instantiates target beans and assigns properties via reflection. The reflection-based binding ignores Jackson's access-control annotations entirely. Properties annotated with @JsonIgnore, @JsonProperty(access = Access.READ_ONLY), or similar restrictions are still writable through these media type endpoints. Attackers send crafted Collection+JSON or UBER requests to controllers that accept these content types. The deserializer then binds attacker-supplied values to fields that the application developer expected to be unreachable from request input. This breaks the security contract that developers establish through Jackson annotations elsewhere in the application.

Root Cause

The root cause is missing annotation enforcement during reflection-based property binding. PropertyUtils.createObjectFromProperties was implemented as a standalone reflection helper that does not delegate to the Jackson ObjectMapper for access-control decisions. Jackson annotations are consulted only when Jackson itself performs binding, so the custom code path silently bypasses the annotation contract.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker sends a request with Content-Type: application/vnd.collection+json or application/vnd.amundsen-uber+json to any Spring HATEOAS endpoint that accepts deserialized bean input. The request body includes properties the developer intended to exclude. The deserializer populates these properties on the target bean, which can drive the application into unexpected states and trigger availability impact. See the Spring Security Advisory CVE-2026-41006 for vendor-supplied details.

Detection Methods for CVE-2026-41006

Indicators of Compromise

Inbound HTTP requests with Content-Type: application/vnd.collection+json or application/vnd.amundsen-uber+json targeting endpoints that previously received only standard application/json.
Request bodies containing field names that match properties annotated with @JsonIgnore or @JsonProperty(access = READ_ONLY) in the application's domain model.
Application exceptions or service crashes correlated with Collection+JSON or UBER deserialization stack traces referencing PropertyUtils.createObjectFromProperties.

Detection Strategies

Inventory all services that include spring-hateoas on the classpath and verify the resolved version against the affected ranges.
Audit controller methods that consume Collection+JSON or UBER media types and identify backing beans that rely on Jackson annotations for field protection.
Enable verbose request logging on hypermedia endpoints during a triage window to capture payload structure for anomaly review.

Monitoring Recommendations

Alert on HTTP requests carrying Collection+JSON or UBER content types from external networks if such traffic is not expected.
Monitor for repeated 5xx responses from hypermedia endpoints, which may indicate exploitation attempts triggering availability impact.
Track Spring HATEOAS version drift across deployments using software composition analysis tooling.

How to Mitigate CVE-2026-41006

Immediate Actions Required

Upgrade Spring HATEOAS to a fixed release line consistent with vendor guidance in the Spring Security Advisory CVE-2026-41006.
Restrict acceptance of application/vnd.collection+json and application/vnd.amundsen-uber+json content types on endpoints that do not require them.
Review domain beans bound by hypermedia deserializers and remove sensitive or state-controlling fields from these beans where feasible.

Patch Information

Pivotal/Broadcom has published guidance in the Spring Security Advisory CVE-2026-41006. Users on the 1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x lines must update past the highest affected version listed for each line: 1.5.6, 2.3.4, 2.4.1, 2.5.2, and 3.0.3 respectively.

Workarounds

Disable the Collection+JSON and UBER media type configurations in HypermediaConfiguration if the application does not require them.
Place a reverse proxy or API gateway rule in front of the application to block requests with the affected hypermedia content types.
Apply input validation at the controller layer to reject requests that include fields intended to be read-only on the backing bean.

bash

# Maven dependency update example - adjust version to the fixed release for your branch
mvn versions:use-dep-version -Dincludes=org.springframework.hateoas:spring-hateoas -DdepVersion=3.0.4 -DforceVersion=true