Security Advisory - Published 2026-06-12 - Spring

Spring June 2026 CVEs: Security, Data Commons, and GraphQL self-check

Three Spring advisories from June 2026 affect different trust boundaries. Spring Security can render unsafe SAML registration values into generated forms, Spring Data Commons can exhaust memory when untrusted property paths are resolved, and Spring for GraphQL can miss method-security annotations in controller hierarchies.

Defensive scope: this page covers dependency checks, code review targets, and upgrade paths. It does not include crafted SAML values, property-path fuzzing, or GraphQL bypass probes.

What is affected

CVEComponentRisk conditionFixed lines
CVE-2026-41003Spring SecurityAttacker-influenced RelyingPartyRegistration values rendered into SAML forms.6.5.11 / 7.0.6 OSS; older fixed lines are enterprise support.
CVE-2026-41695Spring Data CommonsUntrusted property path strings passed into MappingContext resolution.4.0.6 / 3.5.12 OSS; 3.4.15 enterprise support.
CVE-2026-41856Spring for GraphQL@Controller hierarchies rely on method-security annotations for authorization decisions.2.0.4 / 1.4.6 OSS; older fixed lines are commercial.

10-minute self-check

Check resolved dependencies

mvn dependency:tree | egrep "spring-security|spring-data-commons|spring-graphql"
./gradlew dependencies --configuration runtimeClasspath | egrep "spring-security|spring-data-commons|spring-graphql"

Check resolved runtime versions, not just the parent BOM. Direct overrides and shaded libraries can leave vulnerable components in production.

Review Spring Security SAML registration sources

grep -Rni "RelyingPartyRegistration\\|saml2Login\\|Saml2" src 2>/dev/null | head -120

Focus on setups where SAML registration data can be changed through admin screens, tenant metadata, partner uploads, or database records. Static, reviewed registration configuration is lower risk, but still needs the version fix.

Review property-path exposure

grep -Rni "MappingContext\\|PropertyPath\\|Sort\\|RepositoryRestResource" src 2>/dev/null | head -120

Spring says Spring Data Commons does not directly expose the affected API to untrusted callers. The risk appears when an application or consuming module passes attacker-controlled path strings into that resolution path.

Review GraphQL method security

grep -Rni "@Controller\\|@QueryMapping\\|@MutationMapping\\|@EnableMethodSecurity\\|@PreAuthorize" src 2>/dev/null | head -160

Check controllers that inherit methods or annotations through type hierarchies. If method-security annotations are the only authorization gate, patch before relying on manual endpoint testing.

Safe fix path

  1. Upgrade the affected Spring component to the fixed line available for your branch.
  2. Keep SAML registration data under trusted administrative control.
  3. Reject or allowlist user-controlled property names before they reach mapping resolution.
  4. Review GraphQL controller inheritance and method-security placement after upgrading.
  5. Run authentication and authorization smoke tests before reopening public traffic.

Ping7 repair path

Ping7 can review dependency trees, SAML registration storage, property-path exposure, GraphQL controller security, and post-upgrade checks. Start from CVE Repair and include the dependency tree, Spring Boot version, SAML usage, and whether GraphQL is public.

References