HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41700Published Modified CNA vmware

CVE-2026-41700: Cross-Site WebSocket Hijacking in Spring for GraphQL

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
1.0.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Cross-Site WebSocket Hijacking (CSWSH) affects Spring for GraphQL when the WebSocket transport is enabled. An attacker reaches the vulnerability over the network, with no authentication required on their part, but must trick an authenticated user into visiting a malicious page. Successful exploitation lets the attacker execute arbitrary GraphQL operations using the victim's session credentials, giving the attacker full read and write access to whatever the victim's account can reach. Patched-image rebuilds at versions 1.0.7, 1.3.9, 1.4.6, and 2.0.4 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41700 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Spring for GraphQL. Coverage applies to all affected version ranges (1.0.0 through 1.0.6, 1.3.0 through 1.3.8, 1.4.0 through 1.4.5, and 2.0.0 through 2.0.3).

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 HIGH and surfaces it accordingly in each customer environment, weighted by that environment's compliance policy to determine urgency and routing. Triage tickets are routed to the appropriate team inbox within each customer org based on which images and workloads contain the affected package.

Available
Patch

Patched-image rebuilds at the fixed versions (1.0.7, 1.3.9, 1.4.6, and 2.0.4, depending on the branch in use) are available to generate for any image found to contain an affected Spring for GraphQL release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a pull request against the affected workload automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Spring for GraphQL WebSocket endpoint over the network; the service must be exposed to a network the attacker can send requests from.

  • AuthenticationNot required

    The attacker does not need any account or credentials on the target application; they exploit the victim's already-authenticated session.

  • Victim interactionRequired

    The attacker must socially engineer the authenticated victim into visiting a malicious page that initiates the cross-site WebSocket connection.

  • Attack complexityDetail

    The exploit is reliable and imposes no special environmental conditions or race requirements; any authenticated user who visits the malicious page is vulnerable.

Blast Radius

  • Reads any data the victim's GraphQL queries can return, including profile data, stored records, and session-scoped secrets.
  • Executes mutations using the victim's credentials, allowing modification or deletion of persisted application data.
  • Performs any GraphQL operation the victim's account is authorized for, which may include administrative actions depending on the application's authorization model.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image containing an affected Spring for GraphQL version across all connected registries and pipelines. For environments where auto-remediation is enabled, HarborGuard rebuilds the image at the appropriate fix version (1.0.7, 1.3.9, 1.4.6, or 2.0.4 depending on the branch), runs a regression test suite against the rebuilt image, and opens a pull request against affected workloads. Where compliance policy permits, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that do not use auto-remediation, the rebuilt image is available on demand. In addition to upgrading, consider applying network policies that restrict which origins are permitted to initiate WebSocket connections to your GraphQL endpoint, and audit whether the WebSocket transport is required in production environments where it is not actively used.

See how HarborGuard automates this

Fix available

1.0.71.3.91.4.62.0.4
Affected packages
  • Spring / Spring for GraphQL
    < 2.0.4 (from 2.0.0) · < 1.4.6 (from 1.4.0) · < 1.3.9 (from 1.3.0) · < 1.0.7 (from 1.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
References