Skip to main content

Spring Web Services EUVD-2026-36209

| CVE-2026-40999 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-11 vmware GHSA-whpp-xv3h-rwxf
Java SSRF
8.6
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
8.6 HIGH

Unauthenticated network-reachable SOAP endpoint (AV:N/AC:L/PR:N/UI:N); SSRF reaches resources outside the vulnerable component (S:C); primary impact is reading internal data (C:H), with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:00 vuln.today

DescriptionCVE.org

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to.

Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Spring WS endpoint
Delivery
Craft SOAP envelope with malicious wsa:ReplyTo
Exploit
Send request to vulnerable service
Execution
Server invokes WebServiceMessageSender to attacker URL
Persist
Outbound request reaches internal target
Impact
Exfiltrate metadata or pivot to internal services
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The Spring WS application must have WS-Addressing enabled (the AddressingInterceptor or equivalent wired into the message dispatcher) and must be configured with a WebServiceMessageSender capable of outbound network connections (the default HTTP-based senders qualify). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N with a score of 8.6 reflects an unauthenticated network-reachable SSRF whose scope changes to other systems (the back-end resources the Spring WS server can reach) and whose primary impact is confidentiality - typical for SSRF used to read cloud metadata, internal admin APIs, or non-public services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a SOAP request to an exposed Spring WS endpoint with a wsa:ReplyTo header pointing at an internal resource such as http://169.254.169.254/latest/meta-data/iam/security-credentials/ or an internal admin API. The Spring WS server, processing the asynchronous reply path, uses its configured HTTP WebServiceMessageSender to connect to that URL from inside the trust boundary, returning or exposing sensitive responses depending on how errors and metadata are surfaced. …
Remediation Upgrade to a fixed maintenance release in each supported line as published in the Spring advisory at https://spring.io/security/cve-2026-40999 (patch available per vendor advisory; exact fixed versions should be taken from that page since the input does not enumerate them). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running Spring Web Services and confirm which versions (3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, 5.0.0-5.0.1) are deployed in production and development environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40998 HIGH
8.2 Jun 11

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath ev

Share

EUVD-2026-36209 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy