CVE-2026-41839

Vulnerability

A session fixation vulnerability exists in Spring Framework WebFlux applications when a subdomain is compromised, for example, via cross-site scripting (XSS). This allows an attacker to exchange a known session ID for that of an authenticated user. Affected versions include Spring Framework 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 [1].

Exploitation

An attacker requires a compromised subdomain, potentially achieved through cross-site scripting (XSS), and network access to the affected WebFlux application. The attacker must also know or be able to guess a valid session ID. The exploitation involves tricking an authenticated user into using a session ID controlled by the attacker, or the attacker directly exchanging a known session ID for the user's active session ID [1].

Impact

Successful exploitation allows an attacker to impersonate an authenticated user by taking over their session. This can lead to unauthorized access to user-specific data and functionality within the application, depending on the privileges of the compromised user. The scope of the compromise is limited to the session of the targeted authenticated user [1].

Mitigation

Users of affected versions should upgrade to the corresponding fixed versions: Spring Framework 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Versions that are no longer supported are also affected. No further mitigation steps are necessary beyond upgrading [1].