CVE-2023-34047

CVE-2023-34047 affects Spring GraphQL: vulnerable batches occur when registering batch loader functions with a DataLoaderOptions instance in versions 1.1.0–1.1.5 and 1.2.0–1.2.2. Root cause: a batch loader may be exposed to the GraphQL context with values from a different session, including secur...

CVE-2026-41700

Spring for GraphQL with WebSocket transport is affected by Cross-Site WebSocket Hijacking. Affected versions: Spring for GraphQL 2.0.0–2.0.3; 1.4.0–1.4.5; 1.3.0–1.3.8; 1.0.0–1.0.6. Description confirms the issue: an attacker can lure an authenticated user to a malicious page to execute arbitrary ...

CVE-2026-41699

CVE-2026-41699 : Spring for GraphQL is affected by an Unsafe Deserialization flaw when processing paginated GraphQL queries (Connection fields). If the classpath contains specific deserialization-related classes, a crafted GraphQL request can lead to Remote Code Execution. Affected versions: Spri...

CVE-2026-41856

CVE-2026-41856 affects Spring GraphQL’s annotation detection for @Controller data fetchers, where resolution of annotations in type hierarchies may be incorrect. This can lead to security annotations being ignored at runtime when all conditions are met and annotations are used for authorization d...