CVE-2026-41838
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk7th percentile - higher than 7% of all known CVEs
Summary
WebSocket session IDs in the spring-websocket module are not cryptographically unpredictable, which may be exploitable in combination with inadequate authorization rules.
Risk Assessment
An attacker may predict or guess WebSocket session IDs, which combined with authorization flaws could lead to unauthorized access to sessions or data.
Recommendation
Immediately upgrade Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch in use.
Original NVD description (English source)
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

