Skip to main content

Spring Web Services CVE-2026-40994

| EUVD-2026-36204 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-06-11 vmware GHSA-gg9r-wr4p-w63h
Java Information Disclosure
8.2
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
vuln.today AI
8.2 HIGH

Network-reachable SOAP endpoint, no auth or UI needed (AV:N/AC:L/PR:N/UI:N); weakened WS-Security validation primarily corrupts message integrity (I:H) with limited confidentiality leakage and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:04 vuln.today

DescriptionCVE.org

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify SOAP endpoint using Spring-WS
Delivery
Craft WS-Security message violating BSP rules
Exploit
Submit request over network
Execution
Wss4jSecurityInterceptor accepts non-compliant message
Persist
Downstream logic processes forged security claims
Impact
Integrity of authenticated SOAP exchange compromised
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deploy a Spring Web Services version in the listed ranges and expose a SOAP endpoint protected by Wss4jSecurityInterceptor performing inbound WS-Security validation; the endpoint must be reachable by the attacker over the network (AV:N) with no authentication or user interaction needed (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N vector indicates a network-reachable, unauthenticated, low-complexity weakness with high integrity but only low confidentiality and no availability impact, which is consistent with weakened protocol-level validation rather than direct code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable over the network sends a SOAP request to a Spring Web Services endpoint with WS-Security headers crafted to violate BSP rules - for example, using a token-reference form or signature layout the profile disallows - and the Wss4jSecurityInterceptor accepts the message because BSP enforcement on RequestData was never enabled. Downstream service logic that trusted BSP-enforced properties (such as which elements were signed) then processes the request, potentially honoring forged or manipulated WS-Security claims. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-40994; upgrade to a fixed maintenance release on your branch (post-5.0.1, post-4.1.3, post-4.0.18, or post-3.1.8 as published by Spring) - consult the advisory for the exact released versions, as they are not enumerated in the input data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Spring Web Services deployments and their versions (3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, 5.0.0-5.0.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-40994 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy