CVE-2026-41700

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials...

CVE-2026-41699

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and the classpath contains specifi...

EUVD-2026-36214

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored...

CVE-2026-41700 Cross-Site WebSocket Hijacking in Spring for GraphQL

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials...

CVE-2026-41700

Spring for GraphQL with WebSocket transport is affected by Cross-Site WebSocket Hijacking. Affected versions: Spring for GraphQL 2.0.0–2.0.3; 1.4.0–1.4.5; 1.3.0–1.3.8; 1.0.0–1.0.6. Description confirms the issue: an attacker can lure an authenticated user to a malicious page to execute arbitrary ...

EUVD-2026-36212

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and the classpath contains specifi...

CVE-2026-41699 Unsafe Deserialization in Spring GraphQL

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and the classpath contains specifi...

CVE-2026-41699

Summary (CVE-2026-41699) : Spring for GraphQL applications are vulnerable to unsafe deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that may lead to Remote Code Execution if the application exposes a paginated (Connection) field and the...

PT-2026-48626

Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials...

PT-2026-48625

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated Connection field and the classpath contains specifi...

This Week in Spring – March 18th, 2025

Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new. I love this community! One of the central highlights of this show? Java 24 is here, finally! And, as usual, we'v...

This Week in Spring - February 18th, 2025

Hi, Spring fans! It's the week of February 18th, 2025, and you know what that means? ConFoo and Devnexus are nearly here! Next week, I'll be traveling to amazing Montreal, Canada, to speak at the ConFoo show for an amazing community, poutine, and technology! Then, a few days later, it's off to...

This Week in Spring - October 29th, 2024

Hi, Spring fans! How're things? It's almost Halloween! I'm so excited! I'm going as a PHP program. Boooooooo...t. I'm writing this from the amazing Vaadin Create conference in Frankfurt, Germany, about to do my keynote for an amazing, Spring-loving audience here. So, without further ado, let's di...

This Week in Spring - June 25th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I'm in beautiful Amsterdam, having visited with customers and spoken at a local Java User Group. Now I'm off to lovely London, UK. Last week I was in Krakow, Poland, for the amazing Devoxx PL event, and in Par...

This Week in Spring - Tuesday, April 23rd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! We've had a really busy, wonderful week, as always, so let's dive right into it! We want you! ...to submit a talk to SpringOne 2024, in sunny Las Vegas! Hurry, the CFP closes May 3rd! Spring Shell 3.1.11, 3.2.4, and 3.3.0-m1...

This Week in Spring - April 2nd, 2024

Welcome, welcome, welcome, to another installment of This Week in Spring! You know, we've come a long way since you and I last spoke. It's April already! A new month! How bizarre. And, with the dawning of a new month, we're also more than 25% through this year! I sure hope you're paying attention...

This Week in Spring - February 27th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein we explore the latest-and-greatest in the wonderful world of Springdom. This week's going to be a very good one, so let's dive right into it! good news everyone! Spring Boot's been updated! 3.3.0-M2, 3.2.3, and 3.1.9 a...

GHSA-FRQC-F2H8-FJVF Spring for GraphQL may be exposed to GraphQL context with values from a different session

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader...

CVE-2023-34047 Exposure of data and identity to wrong session in Spring for GraphQL

A batch loader function in Spring for GraphQL versions 1.1.0 - 1.1.5 and 1.2.0 - 1.2.2 may be exposed to GraphQL context with values, including security context values, from a different session. An application is vulnerable if it provides a DataLoaderOptions instance when registering batch loader...

PT-2023-24654 · Spring · Spring For Graphql

Name of the Vulnerable Software and Affected Versions: Spring for GraphQL versions 1.1.0 through 1.1.5 Spring for GraphQL versions 1.2.0 through 1.2.2 Description: A batch loader function in Spring for GraphQL may be exposed to GraphQL context with values, including security context values, from ...