Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible SOAP endpoint, no special conditions, unauthenticated trigger; only account-state metadata disclosed, no integrity or availability impact.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.
Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
AnalysisAI
Information disclosure in Spring Web Services (Spring-WS) exposes account lifecycle state - such as locked, disabled, or expired status - to remote unauthenticated SOAP clients through verbose exception messages or callback outcomes during authentication processing. Affected are four actively maintained branches (3.1.x through 5.0.x) when the SOAP layer is integrated with Spring Security; the root cause is CWE-209, where error handling fails to normalize Spring Security's typed account-state exceptions into generic authentication failures. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the CVSS 5.3 (Medium) rating reflects genuine reconnaissance utility for account enumeration against exposed SOAP endpoints.
Technical ContextAI
Spring Web Services (Spring-WS) is VMware's contract-first SOAP framework for Java applications. When paired with Spring Security, authentication failures ordinarily produce several distinct typed exceptions - LockedException, DisabledException, AccountExpiredException, and CredentialsExpiredException - each conveying specific account lifecycle semantics. CWE-209 (Generation of Error Message Containing Sensitive Information) applies because certain Spring-WS integration paths propagate these distinct exceptions - or their messages - directly into SOAP fault responses or callback return values rather than collapsing them into a uniform authentication-denied signal. The CPE cpe:2.3:a:spring:spring_web_services:*:*:*:*:*:*:*:* covers all Spring-WS artifacts across the affected version ranges: 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1. The flaw is specific to SOAP endpoint configurations - not Spring MVC REST or non-WS Spring Security flows.
RemediationAI
The primary fix is to upgrade to a patched release; the vendor advisory at https://spring.io/security/cve-2026-40997 should be consulted for exact fixed versions, as specific patch version numbers were not included in the available input data - the patch is available per vendor advisory. If an immediate upgrade is not feasible, a viable compensating control is to implement a custom AuthenticationFailureHandler or WsSecuritySecurementInterceptor that catches all Spring Security typed account-state exceptions and re-throws or returns a single generic authentication-failed outcome before the response reaches the SOAP marshalling layer; this eliminates differentiated error semantics without requiring a code upgrade but must be applied to every affected integration point. Additionally, network-level access controls that restrict SOAP endpoint exposure to trusted networks or IP ranges reduce the attack surface at the cost of limiting legitimate client reach. Note that neither workaround addresses the root defect in the library itself, and both require ongoing maintenance discipline.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36207
GHSA-5x25-c2rf-f2jx