CVE-2026-41700

HIGH

Cross-Site WebSocket Hijacking in Spring for GraphQL

Title source: cna

Description

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-41700

Scores

CVSS v3 8.1

EPSS 0.0023

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-346

Status published

Products (5)

Spring/Spring for GraphQL 1.0.0 - 1.0.7

Spring/Spring for GraphQL 1.3.0 - 1.3.9

Spring/Spring for GraphQL 1.4.0 - 1.4.6

Spring/Spring for GraphQL 2.0.0 - 2.0.4

vmware/spring_for_graphql 1.0.0 - 1.0.7

Published Jun 11, 2026

Tracked Since Jun 11, 2026