External risk intelligence

Spring for GraphQL Unsafe Deserialization Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-41699

Spring for GraphQL applications may allow remote code execution through unsafe deserialization when processing paginated GraphQL queries. An attacker could exploit this by sending a crafted request, potentially leading to compromised applications if specific conditions are met.

4Halo Surface Signal

Deserialization

Vmware Spring For Graphql

1.3.0 to before 1.3.91.4.0 to before 1.4.62.0.0 to before 2.0.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-41699

This vulnerability affects applications using Spring for GraphQL to handle paginated queries. GraphQL endpoints are commonly exposed as internet-facing APIs to provide data to web or mobile clients, making this type of service a standard, externally reachable component of modern web application architectures.

PCI scan relevance

PCI Relevance for CVE-2026-41699

Yes

CVE-2026-41699 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Spring for GraphQL vulnerability allows for Remote Code Execution, which is a critical issue for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in Spring for GraphQL applications that could allow remote code execution if specific conditions are met, particularly when handling paginated GraphQL queries. This issue arises from unsafe deserialization, presenting a significant risk if exploited.

Unsafe handling of specific GraphQL queries.
Critical flaw could lead to remote code execution.
Confirm relevance to protect against potential compromise.

Attack Path

How an attacker could exploit the issue

An attacker can reach a vulnerable Spring for GraphQL application over the network and send a specially crafted GraphQL request. If the application uses paginated queries and has certain classes available on its classpath, the attacker's request can trigger unsafe deserialization, potentially allowing them to execute arbitrary code on the server.

Unauthenticated network access required.
Triggered by malformed paginated GraphQL queries.
Risk of remote code execution on server.

Live Threat

Current exploitation, exposure, and threat context

Spring for GraphQL applications processing paginated queries could be vulnerable to unsafe deserialization, potentially allowing remote code execution when specific classes are present on the classpath. This risk is supported when the application exposes a paginated (Connection) field.

Application code could be compromised.
Malicious GraphQL requests could trigger deserialization.
Remote code execution may occur.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability in Spring for GraphQL likely falls under the responsibility of application owners and platform teams, who manage the development and deployment of these services. The initial step involves identifying all instances of the affected technology, confirming their exposure and criticality, and then assigning ownership for remediation.

Application owners should manage remediation.
Verify public exposure and business criticality.
Plan and coordinate updates with vendors.

Frequently asked questions

What is Spring for GraphQL?

Spring for GraphQL is a framework used by developers to build flexible, data-driven APIs in Java applications. It acts as an integration layer between the Spring ecosystem and the GraphQL query language, allowing systems to efficiently serve, fetch, and organize data for web and mobile frontends.

What does unsafe deserialization mean for CVE-2026-41699?

This vulnerability involves a weakness known as CWE-502, where an application untrustingly processes serialized data from a user. In this CVE, the software incorrectly handles incoming GraphQL requests, which can allow an attacker to trick the server into running unauthorized commands or arbitrary code.

How is this vulnerability triggered?

An attacker must send a specifically crafted request to a GraphQL endpoint that supports pagination, typically using the 'Connection' field format. The bug does not trigger if the application avoids these specific paginated query features, or if the server environment lacks the specific application classes required to complete the malicious deserialization process.

Is my application at risk?

According to Halo Surface Signal, this vulnerability is considered a likely risk if your application exposes GraphQL endpoints to the internet. Since these APIs are frequently used for web and mobile connectivity, they are often reachable by external actors, increasing the likelihood that a vulnerable instance could be targeted over the network.

What should I do to address CVE-2026-41699?

Begin by auditing your environment to locate all instances of the Spring for GraphQL library. Prioritize verifying if these instances utilize paginated query features. Once identified, coordinate with your development or platform teams to plan and apply the necessary vendor updates to secure your application code.

References

spring.io/security/cve-2026-41699

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.