Cyber Resilience

CVE-2026-41700

HighUpdated

Published: 11 June 2026

Published
11 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0018 7.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41700 is a high-severity Origin Validation Error (CWE-346) vulnerability in Vmware Spring For Graphql. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials.…

more

Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Vulnerability directly enables CSWSH via drive-by visit to attacker-controlled page to hijack authenticated WebSocket session.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

vmware
spring for graphql
1.0.0 — 1.0.7 · 1.3.0 — 1.3.9 · 1.4.0 — 1.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References