PatchSiren cyber security CVE debrief
CVE-2026-41839 Spring CVE debrief
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. This vulnerability affects Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48.
- Vendor
- Spring
- Product
- Spring Framework
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48 who utilize WebFlux applications.
Technical summary
The vulnerability allows an attacker to exchange a known session ID for that of an authenticated user in a WebFlux application, potentially leading to unauthorized access. The CVSS score for this vulnerability is 4.2, indicating a medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update to a non-vulnerable version of Spring Framework.
- Implement additional security measures to prevent subdomain compromise, such as monitoring for suspicious activity and enforcing secure coding practices.
Evidence notes
The CVE record and NVD detail provide further information on this vulnerability.
Official resources
-
CVE-2026-41839 CVE record
CVE.org
-
CVE-2026-41839 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41839 was published on 2026-06-09T05:16:35.850Z and modified on 2026-06-09T13:49:39.993Z.