Security Advisory - Published 2026-06-12 - Spring
Spring June 2026 CVEs: Security, Data Commons, and GraphQL self-check
Three Spring advisories from June 2026 affect different trust boundaries. Spring Security can render unsafe SAML registration values into generated forms, Spring Data Commons can exhaust memory when untrusted property paths are resolved, and Spring for GraphQL can miss method-security annotations in controller hierarchies.
What is affected
| CVE | Component | Risk condition | Fixed lines |
|---|---|---|---|
| CVE-2026-41003 | Spring Security | Attacker-influenced RelyingPartyRegistration values rendered into SAML forms. | 6.5.11 / 7.0.6 OSS; older fixed lines are enterprise support. |
| CVE-2026-41695 | Spring Data Commons | Untrusted property path strings passed into MappingContext resolution. | 4.0.6 / 3.5.12 OSS; 3.4.15 enterprise support. |
| CVE-2026-41856 | Spring for GraphQL | @Controller hierarchies rely on method-security annotations for authorization decisions. | 2.0.4 / 1.4.6 OSS; older fixed lines are commercial. |
10-minute self-check
Check resolved dependencies
mvn dependency:tree | egrep "spring-security|spring-data-commons|spring-graphql"
./gradlew dependencies --configuration runtimeClasspath | egrep "spring-security|spring-data-commons|spring-graphql" Check resolved runtime versions, not just the parent BOM. Direct overrides and shaded libraries can leave vulnerable components in production.
Review Spring Security SAML registration sources
grep -Rni "RelyingPartyRegistration\\|saml2Login\\|Saml2" src 2>/dev/null | head -120 Focus on setups where SAML registration data can be changed through admin screens, tenant metadata, partner uploads, or database records. Static, reviewed registration configuration is lower risk, but still needs the version fix.
Review property-path exposure
grep -Rni "MappingContext\\|PropertyPath\\|Sort\\|RepositoryRestResource" src 2>/dev/null | head -120 Spring says Spring Data Commons does not directly expose the affected API to untrusted callers. The risk appears when an application or consuming module passes attacker-controlled path strings into that resolution path.
Review GraphQL method security
grep -Rni "@Controller\\|@QueryMapping\\|@MutationMapping\\|@EnableMethodSecurity\\|@PreAuthorize" src 2>/dev/null | head -160 Check controllers that inherit methods or annotations through type hierarchies. If method-security annotations are the only authorization gate, patch before relying on manual endpoint testing.
Safe fix path
- Upgrade the affected Spring component to the fixed line available for your branch.
- Keep SAML registration data under trusted administrative control.
- Reject or allowlist user-controlled property names before they reach mapping resolution.
- Review GraphQL controller inheritance and method-security placement after upgrading.
- Run authentication and authorization smoke tests before reopening public traffic.
Ping7 repair path
Ping7 can review dependency trees, SAML registration storage, property-path exposure, GraphQL controller security, and post-upgrade checks. Start from CVE Repair and include the dependency tree, Spring Boot version, SAML usage, and whether GraphQL is public.