Home
MEDIUM: 4.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NDefault status
unaffected
7.0.0 (custom) before 7.0.8
affected
6.2.0 (custom) before 6.2.19
affected
6.1.0 (custom) before 6.1.28
affected
5.3.0 (custom) before 5.3.49
affected
Description
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Problem types
CWE-330: Use of Insufficiently Random Values
Product status
7.0.0 (custom) before 7.0.8
6.2.0 (custom) before 6.2.19
6.1.0 (custom) before 6.1.28
5.3.0 (custom) before 5.3.49
References
spring.io/security/cve-2026-41838