CVE-2026-41838
Received Received - Intake
WebSocket Session ID Predictability in Spring Framework

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VMware

Description
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-41838
EUVD
EUVD-2026-35325
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
vmware spring_framework From 5.3.0 (inc) to 5.3.48 (inc)
vmware spring_framework From 6.1.0 (inc) to 6.1.27 (inc)
vmware spring_framework From 6.2.0 (inc) to 6.2.18 (inc)
vmware spring_framework From 7.0.0 (inc) to 7.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41838 is a security vulnerability in the Spring Framework's WebSocket module where the session IDs used for WebSocket connections are not cryptographically unpredictable.

This means that the session identifiers can potentially be guessed or predicted by an attacker.

If combined with weak or inadequate authorization rules, this vulnerability could be exploited to hijack or interfere with WebSocket sessions.

Impact Analysis

The vulnerability can allow an attacker to predict WebSocket session IDs and potentially gain unauthorized access to active WebSocket sessions.

This could lead to session hijacking or unauthorized interaction with the WebSocket communication channel if the authorization controls are not strong enough.

Such unauthorized access could compromise the confidentiality of data transmitted over WebSocket connections.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade the Spring Framework to a fixed version.

  • Upgrade to version 7.0.8 (OSS) or 7.0.7.1 (Commercial) for the 7.0.x series.
  • Upgrade to version 6.2.19 (OSS) or 6.2.18.1 (Commercial) for the 6.2.x series.
  • Upgrade to version 6.1.28 (Commercial) for the 6.1.x series.
  • Upgrade to version 5.3.49 (Commercial) for the 5.3.x series.

No additional mitigation steps are required beyond upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart