CVE-2026-41700

Published: Jun 11, 2026Modified: Jun 12, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@vmware.com (Secondary)

Description

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Affected (4)

Products: Vmware: Spring For Graphql

Vmware

1 product

Spring For Graphql

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vmware Spring For Graphql	From 1.0.0 to 1.0.7
Vmware Spring For Graphql	From 1.3.0 to 1.3.9
Vmware Spring For Graphql	From 1.4.0 to 1.4.6
Vmware Spring For Graphql	From 2.0.0 to 2.0.4

Related CWEs

CWE-346

Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

References (1)

https://spring.io/security/cve-2026-41700

Source: security@vmware.com

Vendor Advisory

Timeline

No history available yet.