PatchSiren cyber security CVE debrief
CVE-2026-40993 Spring CVE debrief
CVE-2026-40993 is a HIGH severity vulnerability in Spring Security 7.0.0 through 7.0.5. An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). This vulnerability has a CVSS score of 7.3 and a CVSS severity of HIGH.
- Vendor
- Spring
- Product
- Spring Security
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Spring Security 7.0.0 through 7.0.5 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively).
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch or upgrade to a non-affected version of Spring Security.
- Restrict write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) to only trusted users.
Evidence notes
The CVE-2026-40993 vulnerability was published on 2026-06-10T00:16:50.197Z and last modified on 2026-06-10T19:24:04.320Z.
Official resources
-
CVE-2026-40993 CVE record
CVE.org
-
CVE-2026-40993 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40993 was published on 2026-06-10T00:16:50.197Z and last modified on 2026-06-10T19:24:04.320Z.