Primary

Context

Spring Framework WebSocket Module Predictable Session ID Vulnerability

Vulnerability

Patched

A vulnerability exists in the Spring Framework's WebSocket module, where session IDs are not cryptographically secure, potentially leading to exploitation when combined with weak authorization rules. This issue affects Spring Framework versions 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48.

Impact

The vulnerability could allow for unauthorized access to WebSocket sessions, potentially leading to unauthorized actions or data exposure within the application.

Remediation

Users should upgrade to Spring Framework versions 7.0.8, 6.2.19, 6.1.28, or 5.3.49. Instructions for upgrading to these versions are available on the Spring Release Calendar.

Added: Jun 9, 2026, 6:40 AM

Updated: Jun 9, 2026, 6:40 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

1.3

exploitability

4.7

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

1.3

exploitability

4.7

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework WebSocket Module Predictable Session ID Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating