Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from Vendor (vmware) · only source for this CVE.
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed.
Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE.
AnalysisAI
XXE injection in Spring REST Docs exposes developer machines and CI runners to file disclosure when documentation-generating tests process responses from a remote API. Versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE of the spring-restdocs-webtestclient and spring-restdocs-restassured modules fail to disable XML external entity processing, allowing an attacker who controls the documented API endpoint to serve a malicious XML response. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two specific conditions must both be true: (1) the project uses the spring-restdocs-webtestclient or spring-restdocs-restassured module - NOT spring-restdocs-mockmvc - and configures documentation tests to contact a real remote HTTP endpoint rather than a local mock; (2) the attacker controls the remote API endpoint, either by compromising the upstream API server or by tricking the developer into running tests against an attacker-hosted URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.9 score reflects meaningful but bounded risk: AV:N confirms network reachability, but AC:H (High Attack Complexity) and UI:R (User Interaction Required) together require the attacker to either compromise the legitimate remote API being documented or socially engineer the developer into pointing tests at an adversary-controlled endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer or automated CI pipeline runs Spring REST Docs documentation tests using spring-restdocs-webtestclient or spring-restdocs-restassured against a staging or third-party API endpoint. An attacker who has compromised that API serves a crafted XML response containing an XXE payload referencing a sensitive local path such as ~/.aws/credentials or a CI-injected environment variable file. … |
| Remediation | Upgrade to a patched version of Spring REST Docs per the vendor advisory at https://spring.io/security/cve-2026-40991. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35885
GHSA-6rpq-6vv2-5222