PatchSiren cyber security CVE debrief
CVE-2026-41000 Spring CVE debrief
CVE-2026-41000 is a vulnerability in the Wss4jSecurityInterceptor of Spring Web Services. The interceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. This could make protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics ineffective, even when operators configured a replay cache on the interceptor.
- Vendor
- Spring
- Product
- Spring Web Services
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of affected Spring Web Services versions should be aware of this vulnerability. Affected versions include Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.
Technical summary
The CVSS score for this vulnerability is 3.7, with a severity rating of LOW. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. It is classified under CWE-294.
Defensive priority
This vulnerability has a LOW severity rating. However, users of affected versions should still prioritize patching to prevent potential replay attacks.
Recommended defensive actions
- Upgrade to a non-affected version of Spring Web Services.
- Review and adjust configurations for replay cache on the interceptor.
Evidence notes
Evidence suggests that the vendor is likely 'Spring', based on the information provided in the source item.
Official resources
-
CVE-2026-41000 CVE record
CVE.org
-
CVE-2026-41000 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41000 was published on 2026-06-11T07:16:28.037Z and modified on 2026-06-11T15:21:30.653Z.