Skip to main content
Mallory
Back to vulnerabilities
High

Cross-Site WebSocket Hijacking in Spring for GraphQL

IdentifiersCVE-2026-41700CWE-346· Origin Validation Error

CVE-2026-41700 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in Spring for GraphQL affecting applications that have the GraphQL WebSocket transport enabled. The issue allows a malicious website to establish or abuse a WebSocket connection in the context of an authenticated victim and execute arbitrary GraphQL operations using that victim’s session. Based on the provided content, exploitation is possible where the application relies on cookie-based session authentication and does not implement custom Spring Security WebSocket-level Origin enforcement. Affected versions are Spring for GraphQL 2.0.0 through 2.0.3, 1.4.0 through 1.4.5, 1.3.0 through 1.3.8, and 1.0.0 through 1.0.6.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to perform arbitrary GraphQL operations with the victim’s authenticated context. This can result in unauthorized access to sensitive data and unauthorized modification of application state, consistent with the reported high confidentiality and high integrity impact. The provided CVSS vector indicates no direct availability impact.

Mitigation

If you can’t patch tonight, do this now.

The provided content states that no further mitigation steps are necessary beyond upgrading. However, the same content indicates exploitation depends on the absence of custom Spring Security WebSocket-level Origin enforcement; therefore, where immediate patching is not possible, enforcing strict WebSocket Origin validation and reviewing reliance on cookie-based session authentication for WebSocket GraphQL endpoints may reduce exposure. This mitigation detail is inferred from the stated exploitation conditions.

Remediation

Patch, then assume compromise.

Upgrade Spring for GraphQL to a fixed release. The provided content identifies the following fixed versions: 2.0.4 for the 2.0.x line, 1.4.6 for the 1.4.x line, 1.3.9 for the 1.3.x line, and 1.0.7 for the 1.0.x line. Unsupported affected versions should be moved to a supported fixed release.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security online infoNews
Jun 11, 2026
Spring GraphQL Security Patches for Deserialization Flaws

An authentication/session validation weakness in Spring GraphQL responsive query components that enables cross-site WebSocket hijacking and arbitrary operations.

Read more
cvefeed high severityNews
Jun 11, 2026
CVE-2026-41700 - Cross-Site WebSocket Hijacking in Spring for GraphQL

A Cross-Site WebSocket Hijacking vulnerability in Spring for GraphQL applications with WebSocket transport enabled, allowing an attacker to induce an authenticated user to visit a malicious page and execute arbitrary GraphQL operations using the victim's credentials.

Read more
springNews
Jun 10, 2026
CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL

A cross-site WebSocket hijacking vulnerability in Spring for GraphQL affecting applications that use GraphQL WebSocket transport with cookie-based session authentication and lack custom Spring Security WebSocket-level Origin enforcement.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-41700
NVD
nvd.nist.gov/vuln/detail/CVE-2026-41700
MITRE CWE · CWE-346
Origin Validation Error
spring.io
spring.io/security/cve-2026-41700