Description
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.

Affected versions:
Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Published: 2026-06-11
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring for GraphQL applications that enable the WebSocket transport are vulnerable to a cross‑site WebSocket hijacking flaw. The vulnerability allows an attacker to create a malicious web page that tricks an authenticated user into establishing a WebSocket connection to a trusted GraphQL endpoint. When the connection is established, the attacker’s page can send arbitrary GraphQL queries and mutations, causing the victim’s credentials to be used for malicious actions. The weakness is a type of reference‑owned token reuse, reflected by CWE‑346.

Affected Systems

All versions of Spring for GraphQL from 1.0.0 through 1.0.6, 1.3.0 through 1.3.8, 1.4.0 through 1.4.5, and 2.0.0 through 2.0.3 are affected regardless of vendor installation. Any deployment that has enabled WebSocket transport for GraphQL is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity risk. The EPSS score is currently not available, but the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation at the time of analysis. The likely attack vector is a deceptive web page that forces an authenticated user to connect to the victim’s GraphQL endpoint. Successful exploitation grants the attacker full access to perform arbitrary operations with the victim’s privileges, posing a serious risk to confidentiality and integrity of the GraphQL data.

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Spring for GraphQL release that addresses CVE-2026-41700
  • If patching is not immediately possible, disable the WebSocket transport in the application configuration
  • Ensure that client authentication tokens are not automatically included in cross‑origin requests by enforcing strict same‑origin policies

Generated by OpenCVE AI on June 11, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41700 cve-icon cve-icon
History

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Title Cross-Site WebSocket Hijacking in Spring for GraphQL
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T05:04:47.722Z

Reserved: 2026-04-22T06:21:22.982Z

Link: CVE-2026-41700

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T07:16:28.400

Modified: 2026-06-11T07:16:28.400

Link: CVE-2026-41700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T07:30:08Z

Weaknesses