Skip to main content

Spring Web Services CVE-2026-40997

| EUVDEUVD-2026-36207 MEDIUM
Error Message Information Leak (CWE-209)
2026-06-11 vmware GHSA-5x25-c2rf-f2jx
5.3
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible SOAP endpoint, no special conditions, unauthenticated trigger; only account-state metadata disclosed, no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 06:59 vuln.today

DescriptionCVE.org

Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

AnalysisAI

Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.

Technical ContextAI

Spring Web Services (Spring-WS) is VMware's contract-first SOAP framework for Java applications. When paired with Spring Security, authentication failures ordinarily produce several distinct typed exceptions - LockedException, DisabledException, AccountExpiredException, and CredentialsExpiredException - each conveying specific account lifecycle semantics. CWE-209 (Generation of Error Message Containing Sensitive Information) applies because certain Spring-WS integration paths propagate these distinct exceptions - or their messages - directly into SOAP fault responses or callback return values rather than collapsing them into a uniform authentication-denied signal. The CPE cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* covers all Spring-WS artifacts across the affected version ranges: 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1. The flaw is specific to SOAP endpoint configurations - not Spring MVC REST or non-WS Spring Security flows.

RemediationAI

The primary fix is to upgrade to a patched release; the vendor advisory at https://spring.io/security/cve-2026-40997 should be consulted for exact fixed versions, as specific patch version numbers were not included in the available input data - the patch is available per vendor advisory. If an immediate upgrade is not feasible, a viable compensating control is to implement a custom AuthenticationFailureHandler or WsSecuritySecurementInterceptor that catches all Spring Security typed account-state exceptions and re-throws or returns a single generic authentication-failed outcome before the response reaches the SOAP marshalling layer; this eliminates differentiated error semantics without requiring a code upgrade but must be applied to every affected integration point. Additionally, network-level access controls that restrict SOAP endpoint exposure to trusted networks or IP ranges reduce the attack surface at the cost of limiting legitimate client reach. Note that neither workaround addresses the root defect in the library itself, and both require ongoing maintenance discipline.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-40997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy