View all Vulnerabilities

CVE-2026-41700

Authorization Bypass
Affects
Spring for GraphQL
in
Spring
No items found.
Versions
>=1.0.0 <=1.0.6, >=1.2.0 <=1.2.9, >=1.3.0 <=1.3.8, >=1.4.0 <=1.4.5, >=2.0.0 <=2.0.3
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring for GraphQL is the official GraphQL integration for the Spring portfolio, building on GraphQL Java to let Spring applications expose GraphQL APIs over HTTP, WebSocket, and RSocket transports. Its WebSocket transport implements the GraphQL over WebSocket protocol so that clients can run queries, mutations, and long-lived subscriptions over a single WebSocket connection, and it is commonly enabled in applications that use GraphQL subscriptions.

A high-severity vulnerability (CVE-2026-41700) has been identified in Spring for GraphQL applications that have enabled the WebSocket transport. The GraphQL WebSocket handshake endpoint performed no Origin validation, so an application is vulnerable to Cross-Site WebSocket Hijacking when it has enabled the GraphQL WebSocket transport, relies on cookie-based session authentication, and does not have custom Spring Security WebSocket-level Origin enforcement configured. When all of those conditions are met, an attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.

Cross-Site WebSocket Hijacking is the WebSocket variant of Cross-Site Request Forgery (CSRF). Per OWASP, Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. Because browsers do not apply the same-origin policy to WebSocket connections and attach session cookies to the WebSocket handshake request, a page on any origin can open a WebSocket to the application with the victim's session unless the server validates the Origin header itself.

This issue affects >=1.0.0 <=1.0.6, >=1.2.0 <=1.2.9, >=1.3.0 <=1.3.8, >=1.4.0 <=1.4.5, and >=2.0.0 <=2.0.3 of Spring for GraphQL.

Details

Module Info

Vulnerability Info

The vulnerability is in the GraphQL WebSocket transport handlers, GraphQlWebSocketHandler in the org.springframework.graphql.server.webmvc package and its reactive counterpart in org.springframework.graphql.server.webflux. These handlers accept the WebSocket handshake for the GraphQL endpoint and then execute the GraphQL operations sent over the connection.

The WebSocket handshake is a regular HTTP GET request, and browsers attach the application's session cookies to it even when the connection is initiated from a different origin. Unlike ordinary cross-origin HTTP requests, WebSocket connections are not restricted by the browser's same-origin policy, so it is entirely up to the server to reject handshakes coming from foreign origins by checking the Origin header. The Spring for GraphQL handlers performed no such check. In the WebMVC handler, initWebSocketHttpRequestHandler registered only a context-propagation interceptor and no OriginHandshakeInterceptor:

public WebSocketHttpRequestHandler initWebSocketHttpRequestHandler(HandshakeHandler handshakeHandler) {
    WebSocketHttpRequestHandler handler = new WebSocketHttpRequestHandler(this, handshakeHandler);
    handler.setHandshakeInterceptors(Collections.singletonList(this.contextHandshakeInterceptor));
    return handler;
}


The WebFlux handler likewise exposed no CORS configuration and accepted handshakes from any origin.

As a result, a malicious page on any website could open a WebSocket to the application's GraphQL endpoint from the browser of a logged-in user. The handshake would carry the victim's session cookie, the server would accept the connection, and the attacker's page could then send arbitrary GraphQL queries, mutations, and subscriptions that execute with the victim's authenticated session, reading or modifying any data that session is authorized to access.

The remediation enforces a same-origin policy on the GraphQL WebSocket handshake by default. The WebMVC handler now prepends an OriginHandshakeInterceptor to the handshake chain, built from a CorsConfiguration that defaults to allowing no cross-origin callers, and the WebFlux handler now implements CorsConfigurationSource with the same deny-by-default configuration. Cross-origin handshakes are rejected with a 403 unless the application explicitly configures allowed origins through new constructor overloads that accept a custom CorsConfiguration.

This vulnerability was introduced in 2022 with Spring for GraphQL 1.0.

Mitigation

Spring for GraphQL 1.0.x, 1.1.x, 1.2.x, and 1.3.x are End-of-Life open source lines and have no publicly available fix for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  1. Upgrade to a currently supported version of Spring for GraphQL that contains the fix. The OSS fix ships in Spring for GraphQL 2.0.4 (2.0.x line) and 1.4.6 (1.4.x line).
  2. Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring for GraphQL, which delivers the fix on the 1.0.x, 1.2.x, and 1.3.x lines.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41700
PROJECT Affected
Spring for GraphQL
Versions Affected
>=1.0.0 <=1.0.6, >=1.2.0 <=1.2.9, >=1.3.0 <=1.3.8, >=1.4.0 <=1.4.5, >=2.0.0 <=2.0.3
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.