CVE-2026-41700
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
A vulnerability in Spring for GraphQL allows Cross-Site WebSocket Hijacking, where an attacker can trick an authenticated user into visiting a malicious page. This enables arbitrary GraphQL operations to be executed with the victim's credentials.
Risk Assessment
The risk involves potential data theft or manipulation through unauthorized GraphQL operations, leading to breaches of confidentiality and system integrity.
Recommendation
Immediately update Spring for GraphQL to versions 2.0.4, 1.4.6, 1.3.9, or 1.0.7, depending on your branch. Additionally, consider implementing CSRF protection mechanisms for WebSocket.
Original NVD description (English source)
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

