Home
HIGH: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NDefault status
unaffected
2.0.0 (custom) before 2.0.4
affected
1.4.0 (custom) before 1.4.6
affected
1.3.0 (custom) before 1.3.9
affected
1.0.0 (custom) before 1.0.7
affected
Description
Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.
Problem types
CWE-346: Origin Validation Error
Product status
2.0.0 (custom) before 2.0.4
1.4.0 (custom) before 1.4.6
1.3.0 (custom) before 1.3.9
1.0.0 (custom) before 1.0.7
References
spring.io/security/cve-2026-41700