CVE-2026-41839
MediumCVSS 4.2Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
A WebFlux application with a compromised subdomain (e.g., via XSS) allows an attacker to exchange a known session ID for that of an authenticated user, leading to privilege escalation.
Risk Assessment
An attacker can hijack an authenticated user's session, gaining unauthorized access to protected resources and data within the application.
Recommendation
Immediately upgrade Spring Framework to version 7.0.8, 6.2.19, 6.1.28, or 5.3.49, depending on the branch in use.
Original NVD description (English source)
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

