Spring Framework WebFlux Session ID Escalation 5.348, 6.127, 6.218, 7.07.0.7
CVE-2026-41839 Published on June 9, 2026
Spring Framework Escalation via Session Fixation in WebFlux
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Vulnerability Analysis
CVE-2026-41839 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2026-41839
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Framework:- Version 7.0.0 and below 7.0.8 is affected.
- Version 6.2.0 and below 6.2.19 is affected.
- Version 6.1.0 and below 6.1.28 is affected.
- Version 5.3.0 and below 5.3.49 is affected.