EUVD-2026-35325
GHSA-q723-847q-5g8g
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
AnalysisAI
Predictable WebSocket session IDs in the spring-websocket module of Spring Framework allow an authenticated remote attacker to potentially enumerate or infer valid session identifiers and hijack WebSocket connections - but only when the target application also implements inadequate authorization rules on its WebSocket endpoints. All actively maintained Spring Framework release lines are affected: 5.3.x, 6.1.x, 6.2.x, and 7.0.x. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions to be met simultaneously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.8 (Medium) is grounded in a meaningful set of mitigating vector components: high attack complexity (AC:H) indicates that exploitation cannot be reliably automated and depends on conditions outside the attacker's direct control; low privileges are required (PR:L), ruling out fully unauthenticated attack paths; user interaction is required (UI:R), further limiting opportunistic exploitation; and impact is scoped entirely to confidentiality (C:H/I:N/A:N) with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker targeting a Spring-based application with publicly accessible WebSocket endpoints could observe a sequence of session identifiers assigned to their own sessions or to other observable connections, infer the predictable generation pattern, and craft requests using a guessed victim session ID to access that user's WebSocket channel. This requires inducing some form of user interaction - likely having the victim establish an active WebSocket session - and the application must lack authorization checks that would reject a mismatched session claim. … |
| Remediation | The primary remediation is to upgrade to a patched release of Spring Framework; exact fix versions must be confirmed from the vendor advisory at https://spring.io/security/cve-2026-41838, as no specific patched version numbers were included in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote atta
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Share
External POC / Exploit Code
Leaving vuln.today