Spring Framework Predictable Session ID in WebSocket (CVE-2026-41838)

Vulnerability Overview CVE ID: CVE-2026-41838 Vulnerability Name: Predictable Session ID in WebSocket Module of Spring Framework Severity: Medium Publication Date: June 8, 2026 Description: Session IDs within WebSocket sessions (in the module) are not cryptographically unpredictable. This may be exploitable when combined with inadequate authorization controls. Affected Products Affected Spring Products: - Spring Framework: - 7.0.0 – 7.0.7 - 6.2.0 – 6.2.18 - 6.1.0 – 6.1.27 - 5.3.0 – 5.3.48 - Discontinued versions are also affected. Remediation Mitigations: - Upgrade affected versions to their respective patched versions. - Specific patched versions are as follows: - 7.0.x → 7.0.8 (OSS), 7.0.7.1 (Commercial) - 6.2.x → 6.2.19 (OSS), 6.2.18.1 (Commercial) - 6.1.x → 6.1.28 (Commercial) - 5.3.x → 5.3.49 (Commercial) Other Mitigation Steps: No further mitigation steps are required. Additional Information Credit: This issue was discovered internally. References: NVD Link History: 2026-06-08: Initial vulnerability report published. Reporting Vulnerabilities To report a security vulnerability in the Spring portfolio, please see the Security Policy. --- Summary This vulnerability involves the predictability of session IDs in the WebSocket module of Spring Framework, which may lead to security issues. Affected product versions include the 7.0.x, 6.2.x, 6.1.x, and 5.3.x series. Users are advised to upgrade to the corresponding patched versions to resolve this issue.

Goal Reached Thanks to every supporter — we hit 100%!

Spring Framework Predictable Session ID in WebSocket (CVE-2026-41838)