Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-exposed SOAP endpoint (AV:N); Bleichenbacher oracle attack requires high complexity (AC:H); no authentication required to submit WS-Security messages (PR:N); partial confidentiality and integrity impact from session key recovery; no availability impact.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag.
Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
AnalysisAI
Spring Web Services' Wss4jSecurityInterceptor silently defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's own safer default and permitting inbound WS-Security decryption to accept the weak RSA PKCS#1 v1.5 (rsa-1_5) key transport algorithm. This misconfiguration-by-default affects all four supported release trains (3.1.x, 4.0.x, 4.1.x, 5.0.x) and opens deployed SOAP services to Bleichenbacher-style adaptive chosen-ciphertext attacks against server-side RSA key material unless operators explicitly override the flag. No public exploit has been identified at time of analysis, and the CVSS-assigned high attack complexity (AC:H) reflects the significant number of oracle queries required to mount a practical attack.
Technical ContextAI
Spring Web Services (Spring-WS) is a Java-based, contract-first SOAP framework that delegates WS-Security operations - signing, encryption, decryption - to the Apache WSS4J library via the Wss4jSecurityInterceptor class. WSS4J introduced a deliberate safer default that rejects RSA PKCS#1 v1.5 key transport (XML Encryption algorithm URI http://www.w3.org/2001/04/xmlenc#rsa-1_5) in favor of RSA-OAEP, because rsa-1_5 is known to be susceptible to Bleichenbacher's 1998 padding oracle attack and its modern variants (ROBOT). The defect, classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), is that Wss4jSecurityInterceptor sets allowRSA15KeyTransportAlgorithm=true during construction of the inbound validation RequestData, overriding the library's safe default before WSS4J processes the message. The affected CPE is cpe:2.3:a:spring:spring_web_services across all versions in the listed ranges.
RemediationAI
The primary fix is to upgrade to a patched Spring Web Services release as directed by the vendor advisory at https://spring.io/security/cve-2026-40996 - exact fixed version numbers were not present in the provided input data and must be confirmed there before deploying. As an immediate compensating control, operators should explicitly set allowRSA15KeyTransportAlgorithm=false on every Wss4jSecurityInterceptor bean in their application context; this one-line configuration change restores the Apache WSS4J safer default and causes the interceptor to reject any inbound WS-Security message that presents rsa-1_5 key transport, eliminating the vulnerable code path without requiring an upgrade. The trade-off is that clients still using rsa-1_5 encryption will receive decryption failures and must be migrated to RSA-OAEP before the workaround is applied. Rate-limiting or WAF rules on the SOAP endpoint can raise the cost of any attempted Bleichenbacher oracle attack as a defense-in-depth measure but do not remediate the root cause.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36206
GHSA-p7qj-2q5w-f9r7