PatchSiren cyber security CVE debrief
CVE-2026-40988 Spring CVE debrief
CVE-2026-40988 is a HIGH severity vulnerability in Spring Security that can lead to a denial of service via an unbounded writer that inflates the compressed SAML payload into memory. The vulnerability affects Spring Security versions 5.7.0 through 5.7.23, 5.8.0 through 5.8.25, 6.3.0 through 6.3.16, 6.4.0 through 6.4.16, 6.5.0 through 6.5.10, and 7.0.0 through 7.0.5.
- Vendor
- Spring
- Product
- Spring Security
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-12
Who should care
Users of affected Spring Security versions should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an unbounded writer that inflates the compressed SAML payload into memory when using the REDIRECT binding for SAML 2.0 Login or Logout. This can lead to a denial of service.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Security.
- Apply patches or updates provided by the vendor.
- Implement additional security measures to prevent similar attacks.
Evidence notes
The CVE record and NVD detail pages provide additional information about the vulnerability.
Official resources
-
CVE-2026-40988 CVE record
CVE.org
-
CVE-2026-40988 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-40988 was published on 2026-06-10T00:16:49.527Z and modified on 2026-06-12T20:38:02.607Z.