Spring GraphQL WebSocket Hijacking (v1.02.0.3)
CVE-2026-41700 Published on June 11, 2026
Cross-Site WebSocket Hijacking in Spring for GraphQL
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.
Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Vulnerability Analysis
CVE-2026-41700 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Origin Validation Error
The software does not properly verify that the source of data or communication is valid.
Products Associated with CVE-2026-41700
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring for GraphQL:- Version 2.0.0 and below 2.0.4 is affected.
- Version 1.4.0 and below 1.4.6 is affected.
- Version 1.3.0 and below 1.3.9 is affected.
- Version 1.0.0 and below 1.0.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.