Skip to main content

Spring REST Docs CVE-2026-40991

| EUVDEUVD-2026-35885 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-06-10 security@vmware.com GHSA-6rpq-6vv2-5222
5.9
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L

Primary rating from Vendor (vmware) · only source for this CVE.

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:31 vuln.today

DescriptionCVE.org

When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.

Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.

AnalysisAI

XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise remote API or stand up malicious HTTP endpoint
Delivery
Embed XXE payload in API XML response
Exploit
Developer or CI runner executes documentation tests against attacker-controlled endpoint
Execution
spring-restdocs-webtestclient or spring-restdocs-restassured processes XML response
Persist
Java XML parser resolves external entity reference
Impact
Sensitive local file or environment secret disclosed to attacker

Vulnerability AssessmentAI

Exploitation Two specific conditions must both be true: (1) the project uses the spring-restdocs-webtestclient or spring-restdocs-restassured module - NOT spring-restdocs-mockmvc - and configures documentation tests to contact a real remote HTTP endpoint rather than a local mock; (2) the attacker controls the remote API endpoint, either by compromising the upstream API server or by tricking the developer into running tests against an attacker-hosted URL. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.9 score reflects meaningful but bounded risk: AV:N confirms network reachability, but AC:H (High Attack Complexity) and UI:R (User Interaction Required) together require the attacker to either compromise the legitimate remote API being documented or socially engineer the developer into pointing tests at an adversary-controlled endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer or automated CI pipeline runs Spring REST Docs documentation tests using spring-restdocs-webtestclient or spring-restdocs-restassured against a staging or third-party API endpoint. An attacker who has compromised that API serves a crafted XML response containing an XXE payload referencing a sensitive local path such as ~/.aws/credentials or a CI-injected environment variable file. …
Remediation Upgrade to a patched version of Spring REST Docs per the vendor advisory at https://spring.io/security/cve-2026-40991. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2013-2460 CRITICAL POC
9.3 Jun 18

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar

CVE-2024-0195 MEDIUM POC
6.3 Jan 02

A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi

CVE-2026-20131 CRITICAL POC
10.0 Mar 04

Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV

CVE-2026-34197 HIGH POC
8.8 Apr 07

Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t

CVE-2010-5326 CRITICAL POC
10.0 May 13

Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all

CVE-2021-44832 MEDIUM
6.6 Dec 28

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r

Share

CVE-2026-40991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy