CVE-2026-41839— Spring Framework Escalation via Session Fixation in WebFlux
Possible ATT&CK Techniques 1AI
T1078.003 · Local AccountsAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Framework | 7.0.0< 7.0.8 | affected |
6.2.0< 6.2.19 | affected | ||
6.1.0< 6.1.28 | affected | ||
5.3.0< 5.3.49 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41839
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Spring Framework Escalation via Session Fixation in WebFlux
Source: NVD (National Vulnerability Database)
Vulnerability Description
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
会话固定
Source: NVD (National Vulnerability Database)
Vulnerability Title
Spring Framework 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Spring Framework是Spring开源的一款应用开发框架。 Spring Framework 7.0.0至7.0.7版本、6.2.0至6.2.18版本、6.1.0至6.1.27版本和5.3.0至5.3.48版本存在授权问题漏洞,该漏洞源于WebFlux应用程序在子域名被攻破时,可能通过交换已知会话ID进行权限提升攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Spring | Spring Framework | 7.0.0 ~ 7.0.7.1 | - |
II. Public POCs for CVE-2026-41839
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41839
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-41839 (1)
Same Patch Batch · Spring · 2026-06-09 · 51 CVEs total
| CVE-2026-41717 | 8.1 HIGH | Spring Data MongoDB - SpEL Expression Injection via Annotated Query Parameter Binding |
| CVE-2026-41732 | 8.1 HIGH | In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper expose |
| CVE-2026-41855 | 8.1 HIGH | Spring Framework Unsafe Deserialization via Jackson JMS Converters |
| CVE-2026-41729 | 8.1 HIGH | Spring Data REST SpEL Injection via Map Key in JSON Patch |
| CVE-2026-41731 | 8.1 HIGH | In Spring for Apache Kafka, overly broad trusted-package matching in header mappers expose |
| CVE-2026-41003 | 7.6 HIGH | Unencoded HTML Outputs in Spring Security May Allow Cross-Site Scripting |
| CVE-2026-41728 | 7.5 HIGH | Spring Data REST JSON Patch bypasses Jackson read-only property protection on nested objec |
| CVE-2026-40983 | 7.5 HIGH | Micrometer gRPC server instrumentation DoS vulnerability |
| CVE-2026-40984 | 7.5 HIGH | Micrometer HTTP server instrumentations DoS vulnerability |
| CVE-2026-40988 | 7.5 HIGH | Unbounded DEFLATE Inflation in SAML 2.0 Service Provider |
| CVE-2026-41850 | 7.5 HIGH | Spring Framework Algorithmic Denial of Service via SpEL Expressions |
| CVE-2026-41716 | 7.5 HIGH | Spring Data web support unbounded negative-result cache keyed on attacker-supplied propert |
| CVE-2026-41695 | 7.5 HIGH | Denial of Service in Spring Data Commons Property Path Resolution |
| CVE-2026-41849 | 7.5 HIGH | Spring Framework Denial of Service via Integer Overflow in SpEL Expressions |
| CVE-2026-41007 | 7.5 HIGH | Spring HATEOAS heap exhaustion through unbounded internal caching |
| CVE-2026-41006 | 7.5 HIGH | Spring HATEOAS Collection+JSON/UBER deserializers do not honor Jackson configuration |
| CVE-2026-41842 | 7.5 HIGH | Spring Framework Denial of Service via Versioned Resources in Spring MVC and WebFlux |
| CVE-2026-41720 | 7.4 HIGH | Authentication Bypass with Empty Password in Spring LDAP |
| CVE-2026-40993 | 7.3 HIGH | Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Databa |
| CVE-2026-41845 | 7.1 HIGH | Spring Framework Cross-site Scripting via JavaScriptUtils |
Showing top 20 of 51 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Spring Framework
- CVE-2026-41855
Spring Framework Unsafe Deserialization via Jackson JMS Conv - CVE-2026-41854
Spring Framework Server-Side Request Forgery via UriComponen - CVE-2026-41853
Spring Framework Multipart Request Smuggling in Spring MVC a - CVE-2026-41852
Spring Framework Arbitrary Method Invocation in SpEL Express - CVE-2026-41851
Spring Framework Denial of Service via Unbounded Cache in Sp
Same vendor: Spring
- CVE-2026-41862
Spring Statemachine RCE漏洞,影响3.2.x及4.0.x版本 - CVE-2026-47825
Spring Cloud Gateway Server Forwards Headers from Untrusted - CVE-2026-41708
Spring Cloud Sleuth instrumentation of Spring TX DoS vulnera - CVE-2026-47835
Spring AI vector store metadata filtering to handle special - CVE-2026-41856
Spring GraphQL Annotation Detection Vulnerability
Same weakness: CWE-384
- CVE-2026-40082
Cacti: Session Fixation via missing session_regenerate_id() - CVE-2026-56425
MISP AAD authentication plugin - Improper OAuth State Handli - CVE-2026-12581
Digiwin|EasyFlow .NET - Session Fixation - CVE-2009-10007
Catalyst::Plugin::Authentication versions before 0.10_027 fo - CVE-2026-11335
tittuvarghese CollegeManagementSystem login-form.php session
V. Comments for CVE-2026-41839
No comments yet