PatchSiren cyber security CVE debrief
CVE-2026-40994 Spring CVE debrief
CVE-2026-40994 is a HIGH severity vulnerability with a CVSS score of 8.2. The Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. This allows services that validate WS-Security on the network to accept messages that violate BSP rules, weakening protocol-level checks. Affected versions include Spring Web Services 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Spring Web Services 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The Wss4jSecurityInterceptor's BSP compliance flag was initialized in a way that disabled WSS4J BSP enforcement on RequestData. This could allow services validating WS-Security on the network to accept messages violating BSP rules.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to a non-affected version of Spring Web Services.
- Implement additional security measures to validate WS-Security messages.
Evidence notes
The CVE was published on 2026-06-11T07:16:27.297Z and last modified on 2026-06-11T15:21:30.653Z. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N.
Official resources
-
CVE-2026-40994 CVE record
CVE.org
-
CVE-2026-40994 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40994 was published on 2026-06-11T07:16:27.297Z.