PatchSiren cyber security CVE debrief
CVE-2026-41700 Spring CVE debrief
CVE-2026-41700 is a HIGH severity vulnerability in Spring for GraphQL applications that have enabled the WebSocket transport, allowing for Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions include Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
- Vendor
- Spring
- Product
- Spring for GraphQL
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Spring for GraphQL applications that have enabled the WebSocket transport should be aware of this vulnerability and take steps to mitigate it.
Technical summary
CVE-2026-41700 is a Cross-Site WebSocket Hijacking vulnerability in Spring for GraphQL applications. The vulnerability has a CVSS score of 8.1 and is considered HIGH severity. The vulnerability is caused by the application's failure to properly validate WebSocket requests, allowing an attacker to hijack the WebSocket connection and execute arbitrary GraphQL operations with the victim's credentials.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring for GraphQL.
- Disable WebSocket transport if not required.
Evidence notes
The CVE-2026-41700 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-41700) and has a detailed description on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-41700).
Official resources
-
CVE-2026-41700 CVE record
CVE.org
-
CVE-2026-41700 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41700 was published on 2026-06-11T07:16:28.400Z and modified on 2026-06-12T14:13:50.790Z.