PatchSiren cyber security CVE debrief
CVE-2026-40991 Spring CVE debrief
CVE-2026-40991 is a vulnerability in Spring REST Docs that allows for an XXE (XML External Entity) injection attack. When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. This vulnerability affects Spring REST Docs versions 4.0.0, 3.0.0 through 3.0.5, and 2.0.0.RELEASE through 2.0.8.RELEASE.
- Vendor
- Spring
- Product
- Spring REST Docs
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring REST Docs versions 4.0.0, 3.0.0-3.0.5, and 2.0.0.RELEASE-2.0.8.RELEASE should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.9 and a severity of MEDIUM. It requires the attacker to have access to the API or to trick the user into documenting a malicious API. The attack can be performed when the documentation-generating tests are executed.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring REST Docs.
- Use a secure API documentation tool.
- Validate and sanitize user input.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide information on the vulnerability. The source reference [ref-4] provides additional details on the vulnerability and its fix.
Official resources
-
CVE-2026-40991 CVE record
CVE.org
-
CVE-2026-40991 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40991 was published on 2026-06-10T00:16:50.087Z and modified on 2026-06-10T19:24:04.320Z.