Skip to main content

Spring for GraphQL EUVD-2026-36213

| CVE-2026-41700 HIGH
Origin Validation Error (CWE-346)
2026-06-11 vmware GHSA-m39w-hqxx-3r48
Java Information Disclosure Spring For Graphql
8.1
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable WebSocket endpoint, no attacker auth (PR:N), but victim must visit attacker page (UI:R); attacker reads and mutates victim data (C:H/I:H), no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:01 vuln.today

DescriptionCVE.org

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Cross-Site WebSocket Hijacking in Spring for GraphQL allows remote attackers to execute arbitrary GraphQL operations under an authenticated victim's identity when the application has enabled the GraphQL WebSocket transport. The flaw stems from missing origin validation on WebSocket handshakes (CWE-346), affecting Spring for GraphQL 1.0.x, 1.3.x, 1.4.x, and 2.0.x branches up to 2.0.3. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target using Spring GraphQL WebSocket endpoint
Delivery
Host malicious page with WebSocket client JS
Exploit
Lure authenticated victim to visit page
Install
Browser opens wss://target/graphql with session cookie
C2
Server skips Origin check and accepts handshake
Execute
Attacker JS issues GraphQL queries and mutations
Impact
Exfiltrate data and modify state as victim
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Spring for GraphQL application has explicitly enabled the WebSocket transport (graphql-ws / graphql-transport-ws on an endpoint such as /graphql) and authenticates that WebSocket using ambient browser credentials - typically a session cookie or HTTP Basic auth - without Origin allowlisting or a header-bound CSRF token. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a real, but not top-tier, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user of a Spring-GraphQL-backed application visits an attacker-controlled web page (phishing link, malvertising, watering-hole). The page's JavaScript opens a WebSocket to wss://victim-app.example.com/graphql; the browser attaches the user's session cookie, the server accepts the upgrade without checking Origin, and the attacker's script sends graphql-ws messages issuing queries to exfiltrate sensitive data and mutations to change account state in the victim's name.
Remediation Upstream fix available per the Spring advisory (https://spring.io/security/cve-2026-41700); released patched version not independently confirmed in the provided data, but applications should upgrade to the latest maintenance release on their branch (2.0.4, 1.4.6, 1.3.9, or 1.0.7 family) once published by VMware/Broadcom. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using Spring for GraphQL; identify those with WebSocket transport enabled and document current versions in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

EUVD-2026-36213 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy