{"id":"CVE-2026-41728","summary":"Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objects and collections","details":"Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer.\n\nAffected versions:\nSpring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.","modified":"2026-07-08T08:13:13.145822114Z","published":"2026-06-09T23:49:13.279Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"3.7.0"},{"fixed":"3.7.20"},{"introduced":"4.3.0"},{"fixed":"4.3.17"},{"introduced":"4.4.0"},{"fixed":"4.4.15"},{"introduced":"4.5.0"},{"fixed":"4.5.11.1"},{"introduced":"5.0.0"},{"fixed":"5.0.5.1"}],"source":"AFFECTED_FIELD"},{"extracted_events":[{"introduced":"3.7.0"},{"fixed":"3.7.19"},{"introduced":"4.3.0"},{"fixed":"4.3.16"},{"introduced":"4.4.0"},{"fixed":"4.4.14"},{"introduced":"4.5.0"},{"fixed":"4.5.11"},{"introduced":"5.0.0"},{"fixed":"5.0.5"}],"source":"DESCRIPTION"}],"cna_assigner":"vmware","cwe_ids":["CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41728.json"},"references":[{"type":"WEB","url":"https://spring.io/security/cve-2026-41728"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41728.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41728"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-projects/spring-data-rest","events":[{"introduced":"63587e562e5e3b10e305dfd79d8b803b7e75f916"},{"last_affected":"e79c85ec1922fe04e52ec77c92ed2a8c8b97c7b7"},{"introduced":"0ae642131f36b87b9a46c568e53a7b56f99c72ff"},{"last_affected":"9c03c243bb3baf8edad8b300254d320934f78a40"}],"database_specific":{"extracted_events":[{"introduced":"4.5.0"},{"last_affected":"4.5.11"},{"introduced":"5.0.0"},{"last_affected":"5.0.5"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:vmware:spring_data_rest:*:*:*:*:*:*:*:*"}}],"versions":["5.0.5","4.5.11","5.0.4","4.5.10","4.5.9","5.0.3","5.0.2","4.5.8","5.0.1","4.5.7","5.0.0","4.5.6","4.5.5","4.5.4","4.5.3","4.5.2","4.5.1","4.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41728.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}