PatchSiren cyber security CVE debrief
CVE-2026-40996 Spring CVE debrief
CVE-2026-40996 is a vulnerability in Spring Web Services that affects versions 5.0.0 through 5.0.1, 4.1.0 through 4.1.3, 4.0.0 through 4.0.18, and 3.1.0 through 3.1.8. The vulnerability arises from the Wss4jSecurityInterceptor's default setting of allowRSA15KeyTransportAlgorithm to true, which overrides Apache WSS4J's safer default. This allows for the acceptance of RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material for inbound WS-Security decryption, unless explicitly reconfigured by operators.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Web Services versions should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. It can be exploited through network-based attacks with high complexity and no user interaction.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to a non-affected version of Spring Web Services.
- Reconfigure the allowRSA15KeyTransportAlgorithm flag to false if upgrading is not feasible.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].
Official resources
-
CVE-2026-40996 CVE record
CVE.org
-
CVE-2026-40996 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40996 was published on 2026-06-11T07:16:27.550Z and modified on 2026-06-11T15:21:30.653Z.