EUVD-2026-35326
GHSA-4hfh-6x8g-gwpp
Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
AnalysisAI
Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two compounding preconditions: first, the attacker must have already achieved code execution or XSS on a subdomain of the target application's parent domain (or accomplished a subdomain takeover), which is a non-trivial prerequisite that substantially raises exploitation cost; second, a victim user must visit and authenticate on the WebFlux application while their browser carries the attacker-planted session ID (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.2 score accurately reflects a vulnerability with meaningful constraints on exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an XSS vulnerability in a subdomain (e.g., cdn.example.com) that shares a parent domain with a target WebFlux application (app.example.com). The attacker injects a script that writes a known, attacker-controlled session cookie value scoped to .example.com into the victim's browser. … |
| Remediation | The primary fix is to upgrade Spring Framework beyond the affected version ranges. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticat
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions
Share
External POC / Exploit Code
Leaving vuln.today