PatchSiren cyber security CVE debrief
CVE-2026-41838 Spring CVE debrief
CVE-2026-41838 is a medium severity vulnerability in the Spring Framework. The IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-11
Who should care
Developers and administrators using the Spring Framework should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 4.8 and a CVSS severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N. The weakness is classified as CWE-330.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to a non-vulnerable version of the Spring Framework.
- Implement adequate authorization rules to prevent exploitation.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. The vendor advisory can be found at [ref-4].
Official resources
-
CVE-2026-41838 CVE record
CVE.org
-
CVE-2026-41838 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-41838 was published on 2026-06-09T05:16:35.723Z and modified on 2026-06-11T16:53:41.830Z.