PatchSiren cyber security CVE debrief

CVE-2026-40999 Spring CVE debrief

CVE-2026-40999 is a high-severity vulnerability in Spring Web Services. When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. This vulnerability affects Spring Web Services versions 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. The CVSS score for this vulnerability is 8.6, indicating a high severity level. The vulnerability was published on [cvePublishedAt] and last modified on [cveModifiedAt].

Vendor: Spring
Product: Spring Web Services
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-11
Advisory published: 2026-06-11
Advisory updated: 2026-06-11

Who should care

Users of affected Spring Web Services versions should be aware of this vulnerability and take necessary actions to mitigate potential risks.

Technical summary

The vulnerability arises from the lack of verification of destinations taken directly from request headers when WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses. This could potentially lead to security risks if an attacker can manipulate the request headers to connect to malicious destinations.

Defensive priority

High

Recommended defensive actions

Upgrade to a non-affected version of Spring Web Services.
Implement additional security measures to verify the safety of destinations before initiating outbound connections.

Evidence notes

The CVE record [resourceLinkAnnotations:cve-org] and NVD detail [resourceLinkAnnotations:nvd] provide further information about this vulnerability.

Official resources

CVE-2026-40999 was published on 2026-06-11T07:16:27.907Z and last modified on 2026-06-11T15:21:30.653Z.