Skip to main content

Spring Security EUVD-2026-35886

| CVE-2026-40993 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-10 security@vmware.com GHSA-2q7c-5gjm-7q23
Deserialization Java Spring Security
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Requires high-privilege DB write access (PR:H), no user interaction, and successful deserialization yields full RCE in the application JVM, so C/I/A all High.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 18, 2026 - 03:49 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 18, 2026 - 03:49 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 18, 2026 - 03:38 vuln.today
cvss_changed
CVSS changed
Jun 18, 2026 - 03:38 NVD
7.3 (HIGH) 7.2 (HIGH)
Patch available
Jun 10, 2026 - 02:01 EUVD
Analysis Generated
Jun 10, 2026 - 00:31 vuln.today

DescriptionNVD

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).

Affected versions: Spring Security 7.0.0 through 7.0.5.

AnalysisAI

Insecure deserialization in Spring Security 7.0.0 through 7.0.5 allows an attacker with write access to the saml2_asserting_party_metadata database table to store malicious serialized Java payloads in the verification_credentials or encryption_credentials columns, leading to code execution when the JdbcAssertingPartyMetadataRepository deserializes them. The flaw affects deployments using the JDBC-backed SAML 2.0 asserting-party metadata repository introduced in the Spring Security 7.x line. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Spring Security 7.0.x SAML JDBC deployment
Delivery
Obtain write access to application database
Exploit
Craft Java deserialization gadget payload
Install
Insert payload into verification_credentials column
C2
Trigger SAML metadata load via login flow
Execute
Deserialize and execute code as application JVM
Impact
Pivot to host and downstream systems
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Spring application (1) runs Spring Security 7.0.0-7.0.5, (2) is configured to use the JdbcAssertingPartyMetadataRepository for SAML 2.0 asserting-party metadata persistence (the default in-memory or file-based repositories are not affected), and (3) the attacker has write capability - directly or via a separate vulnerability such as SQL injection - to the saml2_asserting_party_metadata table's verification_credentials or encryption_credentials columns. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects High privileges required - the attacker must already be able to write rows into the SAML metadata table - but full triad impact once that precondition is met. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains write access to the application database - for instance through a separate SQL injection flaw, leaked DBA credentials, or a malicious insider - crafts a Java serialized gadget chain using libraries already on the Spring Security classpath and writes it into the verification_credentials column of a row in saml2_asserting_party_metadata. When the application next loads asserting-party metadata via JdbcAssertingPartyMetadataRepository (for example, on a SAML login attempt), the payload is deserialized in-process and executes arbitrary code under the application's JVM identity. …
Remediation Upgrade to Spring Security 7.0.6 or later, which is the vendor-released patched version per the Spring advisory at https://spring.io/security/cve-2026-40993 and EUVD-2026-35886. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all deployments running Spring Security 7.0.0-7.0.5 with JDBC SAML 2.0 repository. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

EUVD-2026-35886 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy