CVE-2026-41839
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
A WebFlux application with a compromised subdomain is vulnerable to an escalation attack that allows exchanging a known session ID for that of an authenticated user.
Risk Assessment
An attacker could gain access to an authenticated user's session, potentially leading to account takeover and data breaches.
Recommendation
It is recommended to monitor subdomains and implement protections against XSS attacks to minimize escalation risks.
Original NVD description (English source)
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

