Description
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.

Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Published: 2026-06-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring for GraphQL applications that enable the WebSocket transport are vulnerable to a cross‑site WebSocket hijacking flaw. The vulnerability allows an attacker to create a malicious web page that tricks an authenticated user into establishing a WebSocket connection to a trusted GraphQL endpoint. When the connection is established, the attacker’s page can send arbitrary GraphQL queries and mutations, causing the victim’s credentials to be used for malicious actions. The weakness is a type of reference‑owned token reuse, reflected by CWE‑346.

Affected Systems

All versions of Spring for GraphQL from 1.0.0 through 1.0.6, 1.3.0 through 1.3.8, 1.4.0 through 1.4.5, and 2.0.0 through 2.0.3 are affected regardless of vendor installation. Any deployment that has enabled WebSocket transport for GraphQL is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity risk. The EPSS score is currently not available, but the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation at the time of analysis. The likely attack vector is a deceptive web page that forces an authenticated user to connect to the victim’s GraphQL endpoint. Successful exploitation grants the attacker full access to perform arbitrary operations with the victim’s privileges, posing a serious risk to confidentiality and integrity of the GraphQL data.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Spring for GraphQL release that addresses CVE-2026-41700
  • If patching is not immediately possible, disable the WebSocket transport in the application configuration
  • Ensure that client authentication tokens are not automatically included in cross‑origin requests by enforcing strict same‑origin policies

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Fri, 12 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vmware:spring_for_graphql:*:*:*:*:*:*:*:*

Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring For Graphql
Vmware
Vmware spring For Graphql
Vendors & Products Spring
Spring spring For Graphql
Vmware
Vmware spring For Graphql

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Title Cross-Site WebSocket Hijacking in Spring for GraphQL
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}


Subscriptions

Spring Spring For Graphql
Vmware Spring For Graphql
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-30T21:51:38.214Z

Reserved: 2026-04-22T06:21:22.982Z

Link: CVE-2026-41700

cve-icon Vulnrichment

Updated: 2026-06-11T14:43:33.111Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T07:16:28.400

Modified: 2026-06-12T14:13:50.790

Link: CVE-2026-41700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:11Z

Weaknesses