PatchSiren cyber security CVE debrief
CVE-2026-40997 Spring CVE debrief
CVE-2026-40997 is a medium-severity vulnerability in Spring Web Services that could allow remote attackers to infer account state through exception messages or callback outcomes. The vulnerability affects several Spring WS integration paths with Spring Security, potentially surfacing detailed account state, such as locked or disabled user semantics, to remote SOAP clients.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Web Services versions (5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8) should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by the detailed exception messages or callback outcomes in Spring WS integration paths with Spring Security. This could assist remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to a non-vulnerable version of Spring Web Services.
- Implement generic authentication error handling to prevent detailed account state disclosure.
Evidence notes
The CVE-2026-40997 vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. The affected versions of Spring Web Services are 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Official resources
-
CVE-2026-40997 CVE record
CVE.org
-
CVE-2026-40997 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-40997 was published on [2026-06-11T07:16:27.663Z](https://www.cve.org/CVERecord?id=CVE-2026-40997) and modified on [2026-06-11T15:21:30.653Z](https://nvd.nist.gov/vuln/detail/CVE-2026-40997).