CVE Catalog

CVE-2026-41700

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile - higher than 8% of all known CVEs

Summary

A vulnerability in Spring for GraphQL allows Cross-Site WebSocket Hijacking, where an attacker can trick an authenticated user into visiting a malicious page. This enables arbitrary GraphQL operations to be executed with the victim's credentials.

Risk Assessment

The risk involves potential data theft or manipulation through unauthorized GraphQL operations, leading to breaches of confidentiality and system integrity.

Recommendation

Immediately update Spring for GraphQL to versions 2.0.4, 1.4.6, 1.3.9, or 1.0.7, depending on your branch. Additionally, consider implementing CSRF protection mechanisms for WebSocket.

Original NVD description (English source)

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS