View all Vulnerabilities

CVE-2026-41839

Authorization Bypass
Affects
Spring Framework
in
Spring
No items found.
Versions
>=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Framework is the foundational application framework for the Java platform, providing dependency injection, web stacks, data access, and more. Its reactive web stack, Spring WebFlux, ships its own server-side session abstraction in the spring-web module: a WebSession whose lifecycle is managed by DefaultWebSessionManager, whose ID is read from and written to the client by a WebSessionIdResolver (by default CookieWebSessionIdResolver), and whose state is persisted by a WebSessionStore (by default InMemoryWebSessionStore). A security layer rotates the session ID at authentication time by calling WebSession.changeSessionId(), which is the standard defense against session fixation.

A low-severity vulnerability (CVE-2026-41839) has been identified in WebFlux session handling. A WebFlux application whose session cookie is scoped to a parent domain can have a known, attacker-supplied session ID promoted into an authenticated user's session, allowing an attacker who controls a compromised sibling subdomain (for example, via cross-site scripting) to exchange a known session ID for that of an authenticated user and ride the victim's authenticated session.

Per OWASP, session fixation is an attack that permits an attacker to hijack a valid user session by exploiting a limitation in the way the web application manages the session ID: when authenticating a user, the vulnerable application does not assign a new session ID, making it possible to use an existing one. The attack consists of obtaining a valid session ID, inducing a user to authenticate with that session ID, and then hijacking the user-validated session through knowledge of the session ID used.

The CVSS v3.1 base score for this vulnerability is 4.2 (Low) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. The attack vector is Network because the attacker operates from a compromised subdomain over the network, attack complexity is High because the attack requires a compromised sibling subdomain plus a victim who authenticates while the fixed session ID is in place, and no privileges on the target application are required. User interaction is Required (the victim must authenticate), the scope is Unchanged, and the impact is Low to both Confidentiality and Integrity because the attacker is confined to the authority of the hijacked session, with no availability impact.

This issue affects Spring Framework >=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, and >=7.0.0 <=7.0.7.

Details

Module Info

Vulnerability Info

The vulnerability is in the WebFlux server-side session machinery in the spring-web module, in org.springframework.web.server.session. WebFlux session id rotation, the standard session-fixation defense, is implemented by WebSession.changeSessionId(), backed in the default store by InMemoryWebSession.changeSessionId() in InMemoryWebSessionStore:

@Override
public Mono<Void> changeSessionId() {
    return Mono.<Void>defer(() -> {
                String currentId = this.id.get();
                InMemoryWebSessionStore.this.sessions.remove(currentId);
                String newId = String.valueOf(idGenerator.generateId());
                this.id.set(newId);
                InMemoryWebSessionStore.this.sessions.put(this.getId(), this);
                return Mono.empty();
            })
            .subscribeOn(Schedulers.boundedElastic())
            .publishOn(Schedulers.parallel())
            .then();
}


Session ID resolution and persistence are driven by DefaultWebSessionManager. On each request it asks the configured WebSessionIdResolver (default CookieWebSessionIdResolver) for the session ID presented by the client, retrieves the matching session from the store, and writes the ID back on response commit:

private Mono<WebSession> retrieveSession(ServerWebExchange exchange) {
    return Flux.fromIterable(getSessionIdResolver().resolveSessionIds(exchange))
            .concatMap(this.sessionStore::retrieveSession)
            .next();
}

private Mono<Void> save(ServerWebExchange exchange, WebSession session) {
    List<String> ids = getSessionIdResolver().resolveSessionIds(exchange);
    ...
    if (ids.isEmpty() || !session.getId().equals(ids.get(0))) {
        this.sessionIdResolver.setSessionId(exchange, session.getId());
    }
    return session.save();
}

The default cookie resolver binds the server-side WebSession to the session ID presented by the client. Cookies are scoped per registrable domain, so a cookie set for a parent domain (example.com) is sent to every subdomain (app.example.com), and a compromised sibling subdomain can write such a cookie into the victim's browser, including by way of cross-site scripting. An attacker therefore pre-seeds a known session ID into the victim's browser. When the WebFlux application does not force a fresh, server-generated ID at the moment the user authenticates, the authenticated principal stays bound to the attacker-known ID. The attacker then replays that same ID and is admitted to the now-authenticated session, gaining the victim's authenticated authority without ever proving the victim's credentials.

The fix tightens WebFlux session ID handling so that a known or attacker-supplied ID cannot be carried over into an authenticated session, ensuring a server-generated ID is established for the authenticated session. The accompanying hardening on the same rotation path serializes the ID change so that the store's mapping is updated atomically. The fixed releases are Spring Framework 7.0.8 and 6.2.19 (OSS). The vulnerable WebFlux session handling has existed since the org.springframework.web.server package was introduced with WebFlux in Spring Framework 5.0, so the advisory's 5.3.0 lower bound reflects Spring's currently supported scope rather than the point of introduction. Spring Framework 4.3.x and earlier do not ship WebFlux and are not affected.

Steps To Reproduce

1. Build a Spring WebFlux application (Spring Framework 6.2.18 or any other affected pre-fix version) that uses the default WebFlux session support and authenticates users, with the session cookie scoped to a parent domain so that it is shared across subdomains:

   @Bean
   public WebSessionManager webSessionManager() {
       DefaultWebSessionManager manager = new DefaultWebSessionManager();
       CookieWebSessionIdResolver resolver = new CookieWebSessionIdResolver();
       resolver.addCookieInitializer(builder -> builder.domain("example.com"));
       manager.setSessionIdResolver(resolver);
       return manager;
   }

2. As the attacker, from a compromised sibling subdomain (for example app.example.com, compromised via cross-site scripting), write a session cookie for the parent domain into the victim's browser with a known, attacker-chosen session ID value:

document.cookie = "SESSION=attacker-known-session-id; domain=example.com; path=/";

3. As the victim, browse to the legitimate WebFlux application on another subdomain and authenticate normally. The browser sends the attacker-seeded SESSION cookie because it is scoped to the shared parent domain.

4. Observe that, on a vulnerable version, the authenticated session remains bound to the attacker-known session ID rather than a fresh server-generated ID.

5. As the attacker, send a request to the application carrying the same known session ID. The request is admitted into the victim's now-authenticated session, granting the attacker the victim's authenticated authority.

6. After upgrading to a fixed version (7.0.8, 6.2.19, or a HeroDevs NES build), repeat steps 3 through 5. The authenticated session is established under a fresh server-generated ID, the attacker-known ID no longer maps to the authenticated session, and the replay in step 5 fails.

Mitigation

Only recent versions of Spring Framework receive community support and updates. The 5.3.x and 6.1.x lines are End-of-Life for open source and have no publicly available OSS fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Framework. The OSS fix ships in Spring Framework 7.0.8 (7.0.x line) and 6.2.19 (6.2.x line).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Framework.

Credits

  • This vulnerability was discovered internally by the Spring Security team.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-41839
PROJECT Affected
Spring Framework
Versions Affected
>=5.3.0 <=5.3.48, >=6.1.0 <=6.1.27, >=6.2.0 <=6.2.18, >=7.0.0 <=7.0.7
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.