CVE-2026-41838
mediumCVSS v3 Base Score
4.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
EPSS Score
0.2%
Exploitation probability in 30 days
Top 93% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Confidentiality
High
Integrity
None
Availability
None
Vulnerability Report
Generated by CyberWatcher
Description
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
CWE
CWE-330Affected Products
vmware spring framework