CVE Catalog

CVE-2026-41838

MediumCVSS 4.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

WebSocket session IDs in the spring-websocket module are not cryptographically unpredictable, which may be exploitable in combination with inadequate authorization rules.

Risk Assessment

An attacker may predict or guess WebSocket session IDs, which combined with authorization flaws could lead to unauthorized access to sessions or data.

Recommendation

Immediately upgrade Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch in use.

Original NVD description (English source)

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS