CVE-2026-41700

Summary

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Affected Software

VendorProductVersion RangeStatus
SpringSpring for GraphQL2.0.0 < 2.0.3.1affected
SpringSpring for GraphQL1.4.0 < 1.4.5.1affected
SpringSpring for GraphQL1.3.0 < 1.3.9affected
SpringSpring for GraphQL1.0.0 < 1.0.7affected

Weaknesses

  • CWE-346: CWE-346: Origin Validation Error

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References