CVE-2026-41006 Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration

Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3...

CVE-2026-41006

Spring HATEOAS contains a deserialization vulnerability where internal PropertyUtils.createObjectFromProperties binds bean properties via reflection without honoring Jackson access-control annotations. This affects multiple supported branches: 1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x up to 3.0.3. Th...

PT-2026-47644

Name of the Vulnerable Software and Affected Versions Spring HATEOAS versions 1.5.0 through 1.5.6 Spring HATEOAS versions 2.3.0 through 2.3.4 Spring HATEOAS versions 2.4.0 through 2.4.1 Spring HATEOAS versions 2.5.0 through 2.5.2 Spring HATEOAS versions 3.0.0 through 3.0.3 Description The interna...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via reflective property binding in PropertyUtils.createObjectFromProperties. An attacker can modify security-sensitive object properties by supplying crafted...