Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.
Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3.1"
},
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.5.1"
},
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.9"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.7"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
},
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.5"
},
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.8"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.6"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41700.json",
"cna_assigner": "vmware",
"cwe_ids": [
"CWE-346"
]
}