Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Certificate possession is equivalent to low-privilege credential (PR:L); scope is unchanged and impact is bounded to authenticated service resources (C:L/I:L/A:N).
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts).
Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
AnalysisAI
X509AuthenticationProvider in Spring Web Services issues fully authenticated tokens from client certificates without enforcing Spring Security's account lifecycle checks, meaning disabled, locked, expired, or credentials-expired accounts can successfully authenticate. This affects all maintained release branches from 3.1.0 through 5.0.1 and was reported by VMware, the Spring project maintainer. No public exploit or CISA KEV listing has been identified at time of analysis, but the bypass is meaningful in environments that rely on account-disablement as the primary deprovisioning control rather than certificate revocation.
Technical ContextAI
Spring Web Services (Spring-WS) is a Java contract-first SOAP framework built atop the broader Spring ecosystem. Client X.509 certificate authentication in Spring-WS flows through X509AuthenticationProvider, which maps a presented certificate to a UserDetails object. Under standard Spring Security design, any UserDetails retrieval is subject to AccountStatusUserDetailsChecker, which enforces four lifecycle predicates: account enabled, account non-locked, account non-expired, and credentials non-expired. CWE-287 (Improper Authentication) captures the root cause: the provider short-circuits this checker and emits a fully authenticated X509AuthenticationToken the moment a valid certificate-to-UserDetails mapping is resolved, bypassing the enforcement gate entirely. The affected CPE is cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:*, spanning versions 3.1.0 through 5.0.1 across four release branches.
RemediationAI
The primary remediation is to upgrade to a fixed version of Spring Web Services once patched releases are confirmed via the vendor advisory at https://spring.io/security/cve-2026-40995. No exact fixed version number is available in the current intelligence - the advisory must be consulted directly for the specific target version per affected branch. As an immediate compensating control prior to patching, organizations should ensure that user deprovisioning workflows include explicit certificate revocation through CRL updates or OCSP stapling in addition to account disablement in the UserDetails store; this prevents the TLS layer from presenting the certificate to the application at all, neutralizing the bypass. A second workaround, if mutual TLS certificate authentication via X509AuthenticationProvider is not strictly required by the application, is to disable that authentication provider in the Spring Security configuration - this eliminates the vulnerable code path entirely but will break all certificate-based login flows for legitimate users. Both compensating controls have operational trade-offs that should be evaluated against the deployment's authentication architecture before implementation.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36205
GHSA-6mfm-98wv-32wm