CVE-2026-41839 PUBLISHED

Spring Framework Escalation via Session Fixation in WebFlux

Assigner: vmware
Reserved: 22.04.2026 Published: 09.06.2026 Updated: 09.06.2026

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.

Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Framework
Versions	Default: unaffected affected from 7.0.0 to 7.0.8 (excl.) affected from 6.2.0 to 6.2.19 (excl.) affected from 6.1.0 to 6.1.28 (excl.) affected from 5.3.0 to 5.3.49 (excl.)

References

https://spring.io/security/cve-2026-41839

Problem Types

CWE-384: Session Fixation CWE

Impacts

A WebFlux application with a compromised subdomain is vulnerable to a session fixation escalation attack that allows an attacker to exchange a known session ID for that of an authenticated user.