Generation of Predictable Numbers or Identifiers Affecting org.springframework:spring-websocket package, versions [5.3.0, 6.0.0)[6.1.0, 6.2.19)[7.0.0-M1, 7.0.8)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGSPRINGFRAMEWORK-17254123
  • published9 Jun 2026
  • disclosed8 Jun 2026
  • creditUnknown

Introduced: 8 Jun 2026

NewCVE-2026-41838  (opens in a new tab)
CWE-340  (opens in a new tab)

How to fix?

Upgrade org.springframework:spring-websocket to version 6.0.0, 6.2.19, 7.0.8 or higher.

Overview

org.springframework:spring-websocket is a framework that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Generation of Predictable Numbers or Identifiers via predictable WebSocket session identifiers in the spring-websocket module. An attacker can guess or predict valid WebSocket session IDs due to insufficient randomness in session identifier generation. In environments with inadequate authorization controls, this may allow unauthorized access to or interaction with other users' WebSocket sessions.

Note: Successful exploitation typically requires inadequate authorization rules.

CVSS Base Scores

version 4.0
version 3.1