CVE-2026-41838
MEDIUMDescription
IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Is your site exposed to CVE-2026-41838?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| vmware | spring_framework |
| vmware | spring_framework |
| vmware | spring_framework |
| vmware | spring_framework |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-41838? +
How severe is CVE-2026-41838? +
What products are affected by CVE-2026-41838? +
How do I check if I'm vulnerable to CVE-2026-41838? +
Related Vulnerabilities
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files …
An authentication bypass vulnerability has been identified in the IFTTT integration feature. A remote, authenticated attacker could leverage this vulnerability …
Predictable default Wi-Fi Password in Access Point functionality in EZCast Pro II version 1.17478.146 allows attackers in Wi-Fi range to …
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform …
The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and …
MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass