PatchSiren cyber security CVE debrief
CVE-2026-40995 Spring CVE debrief
CVE-2026-40995 is a vulnerability in Spring Web Services that affects versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. The vulnerability is caused by the X509AuthenticationProvider issuing a fully authenticated X509AuthenticationToken when a presented certificate maps to UserDetails, without applying Spring Security's standard account lifecycle checks. This could allow an attacker to bypass authentication for disabled, locked, expired, or credentials-expired accounts.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Web Services versions should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The X509AuthenticationProvider in Spring Web Services does not properly enforce account lifecycle checks, allowing for authentication bypass.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to a non-affected version of Spring Web Services.
- Apply patches or updates provided by the vendor.
- Review and adjust authentication configurations to ensure proper account lifecycle checks are in place.
Evidence notes
The CVE-2026-40995 vulnerability was published on June 11, 2026, and has a CVSS score of 5.4. The vulnerability is categorized under CWE-287.
Official resources
-
CVE-2026-40995 CVE record
CVE.org
-
CVE-2026-40995 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40995 was published on [2026-06-11T07:16:27.430Z](https://www.cve.org/CVERecord?id=CVE-2026-40995) and last modified on [2026-06-11T15:21:30.653Z](https://nvd.nist.gov/vuln/detail/CVE-2026-40995).