CVE-2026-41838

🗓️ 09 Jun 2026 03:49:15Reported by vmwareType

CVE-2026-41838: Spring Framework WebSocket session IDs are predictable and exploitable.

Reporter	Title	Published	Views	Family All 9
Cvelist	CVE-2026-41838 Spring Framework Predictable Session ID in WebSocket Module	9 Jun 202603:49	–	cvelist
Debian CVE	CVE-2026-41838	9 Jun 202603:49	–	debiancve
EUVD	EUVD-2026-35325	9 Jun 202603:49	–	euvd
NVD	CVE-2026-41838	9 Jun 202605:16	–	nvd
OSV	DEBIAN-CVE-2026-41838	9 Jun 202605:16	–	osv
OSV	UBUNTU-CVE-2026-41838	9 Jun 202600:00	–	osv
Positive Technologies	PT-2026-47649	9 Jun 202600:00	–	ptsecurity
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-41838	9 Jun 202600:00	–	nessus
Vulnrichment	CVE-2026-41838 Spring Framework Predictable Session ID in WebSocket Module	9 Jun 202603:49	–	vulnrichment

[
  {
    "vendor": "Spring",
    "product": "Spring Framework",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "status": "affected",
        "version": "7.0.0",
        "lessThan": "7.0.8",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.2.0",
        "lessThan": "6.2.19",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "6.1.0",
        "lessThan": "6.1.28",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "5.3.0",
        "lessThan": "5.3.49",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
spring	www.spring.io/security/cve-2026-41838

09 Jun 2026 13:49Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.14.8

EPSS0.00031

SSVC

CWE-330