Skip to main content

Spring Security CVE-2026-40988

| EUVD-2026-35883 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-10 security@vmware.com GHSA-m69x-pw9p-7j3q
Denial Of Service Java Spring Security
7.5
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (vmware) · only source for this CVE.

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:30 vuln.today

DescriptionCVE.org

An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.

Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

AnalysisAI

Denial of service in Spring Security's SAML 2.0 service provider module allows remote unauthenticated attackers to exhaust application memory by submitting a maliciously compressed SAML payload over the REDIRECT binding. The flaw stems from an unbounded inflater that decompresses attacker-controlled data without size limits, enabling a classic decompression-bomb attack against any Spring application using SAML Login or Logout. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SAML SP endpoint over REDIRECT
Delivery
Craft compressed SAML decompression bomb
Exploit
Submit as SAMLRequest query parameter
Execution
Trigger unbounded inflater in Spring filter
Persist
Exhaust JVM heap memory
Impact
Application becomes unresponsive
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must include the spring-security-saml2-service-provider dependency and have SAML 2.0 Login or Logout configured to use the REDIRECT binding, with the SAML endpoints reachable by the attacker (typically internet-exposed for federated SSO). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.5 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) describes a high-impact availability attack reachable over the network with no authentication, no user interaction, and low complexity - a strong signal for prioritization in any internet-exposed SAML deployment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a SAML 2.0 message containing highly compressible padding (e.g., a long run of identical bytes that DEFLATE reduces to a few hundred bytes), base64-encodes it, and submits it as the SAMLRequest query parameter to the target's SAML SSO or SLO endpoint over the REDIRECT binding. The Spring Security filter inflates the payload into JVM heap without a size cap, and a small number of concurrent requests exhausts memory, triggering OutOfMemoryError and taking the SSO-protected application offline. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-40988 - upgrade to the next patched maintenance release in each affected branch (5.7.24+, 5.8.26+, 6.3.17+, 6.4.17+, 6.5.11+, 7.0.6+ as released by VMware/Broadcom; verify exact fix version against the Spring advisory before deployment). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using Spring Security with SAML Login or Logout (search build artifacts for spring-security-saml2-service-provider dependency). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

CVE-2026-40988 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy