CVE-2026-41700
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site WebSocket Hijacking in Spring for GraphQL

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VMware

Description
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-41700
EUVD
EUVD-2026-36213
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_for_graphql From 1.0.0 (inc) to 2.0.3 (inc)
vmware spring_for_graphql From 1.0.0 (inc) to 1.0.6 (inc)
vmware spring_for_graphql From 1.3.0 (inc) to 1.3.8 (inc)
vmware spring_for_graphql From 1.4.0 (inc) to 1.4.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute arbitrary GraphQL operations using the victim's credentials by exploiting Cross-Site WebSocket Hijacking. This can lead to unauthorized access to sensitive data or operations within the affected application.

Such unauthorized access and potential data exposure could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access.

Therefore, if exploited, this vulnerability may lead to violations of data protection requirements under these regulations.

Executive Summary

CVE-2026-41700 is a Cross-Site WebSocket Hijacking vulnerability that affects Spring for GraphQL applications using WebSocket transport with cookie-based session authentication.

The vulnerability occurs when applications enable GraphQL WebSocket transport, rely on cookie-based session authentication, and do not have custom Spring Security WebSocket-level Origin enforcement.

An attacker can exploit this by tricking an authenticated user into visiting a malicious page, which allows the attacker to execute arbitrary GraphQL operations using the victim's credentials.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized GraphQL operations on behalf of an authenticated user.

By exploiting the victim's credentials, the attacker can access or manipulate sensitive data or functionality within the affected Spring for GraphQL application.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Spring for GraphQL to the fixed versions.

  • Upgrade to version 2.0.4 if you are on the 2.0.x release track.
  • Upgrade to version 1.4.6 if you are on the 1.4.x release track.
  • Upgrade to version 1.3.9 if you are on the 1.3.x release track.
  • Upgrade to version 1.0.7 if you are on the 1.0.x release track.

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart