TWO critical vulnerabilities in Spring HATEOAS have been identified: CVE-2026-41006 and CVE-2026-41007. The first allows attackers to bypass essential data checks by exploiting poor handling of Collection JSON and UBER types, potentially leading to unauthorized data modifications. The second flaw causes server crashes due to unbounded caching that enables attackers to flood memory with excessive data. Affected versions include 1.5 to 3.0; users are urged to upgrade to versions 2.5.3 or 3.0.4 to mitigate these risks.
Spring HATEOAS bugs let attackers bypass checks, crash servers
CyberSIXT Evidence Panel
Article by CyberSIXT