View all Vulnerabilities

CVE-2026-40991

Content Spoofing
Affects
Spring REST Docs
in
Spring
No items found.
Versions
>=1.0.0 <=3.0.5, =4.0.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring REST Docs is a library for producing accurate, readable documentation for RESTful services by combining hand-written content with auto-generated snippets captured from tests written with Spring MVC Test, Spring WebFlux's WebTestClient, or REST Assured. It helps teams keep API documentation in sync with the actual behavior of their services.

A medium-severity vulnerability (CVE-2026-40991) has been identified in Spring REST Docs. The XML processors used by the spring-restdocs-webtestclient and spring-restdocs-restassured modules to document a remote API accessed over HTTP create their parsers without disabling DOCTYPE declarations or external entity resolution. An attacker who compromises the API being documented, or who tricks a user into documenting a malicious API, can return crafted XML that performs an XML External Entity (XXE) injection attack the next time the documentation-generating tests are executed, potentially disclosing local files or triggering out-of-band server-side requests from the machine running the tests.

Per OWASP, an XML External Entity (XXE) attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser, which may lead to disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This issue affects Spring REST Docs versions >=1.0.0 <=3.0.5, =4.0.0.

Details

Module Info

Vulnerability Info

Spring REST Docs generates documentation snippets from the request and response payloads captured during a test. When a payload has an XML body, the spring-restdocs-core module processes it through two code paths: XmlContentHandler, which builds a DOM to extract and validate documented fields, and PrettyPrintingContentModifier, which re-parses the body with a SAX parser and re-serializes it to produce a formatted snippet.

Both paths constructed their XML parsers with default, insecure settings. XmlContentHandler created its document builder with DocumentBuilderFactory.newInstance().newDocumentBuilder(), and PrettyPrintingContentModifier created a SAXParserFactory and a Transformer the same way:

this.documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder();

Transformer transformer = TransformerFactory.newInstance().newTransformer();
SAXParserFactory parserFactory = SAXParserFactory.newInstance();
SAXParser parser = parserFactory.newSAXParser();

With DOCTYPE declarations permitted and external general entities resolved, an XML body such as the following causes the parser to resolve the external entity when the body is processed:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

Because documentation is typically generated on a developer workstation or a CI runner with access to the local filesystem and internal network, a successful XXE injection can read local files or cause out-of-band requests to internal hosts. The spring-restdocs-mockmvc flow documents locally-produced responses and is not the realistic attack surface; the exposure arises specifically when documenting a remote, attacker-influenced API with the WebTestClient or REST Assured integrations.

This vulnerability has been present since the earliest Spring REST Docs 1.x releases.

Mitigation

Spring REST Docs 2.0.x and earlier are End-of-Life and do not receive free security updates; the 2.0.x line received no public fix for this issue. For End-of-Life information, see https://spring.io/projects/spring-restdocs.

Affected users should:

  1. Upgrade to a supported release line that contains the fix (Spring REST Docs 3.0.6 or 4.0.1).
  2. For applications that must remain on an End-of-Life line, use HeroDevs Never-Ending Support (NES) for Spring REST Docs, which provides a backported fix for this vulnerability without requiring a major upgrade. Learn more about HeroDevs Never-Ending Support for Spring REST Docs and request coverage at https://www.herodevs.com/support/spring-nes
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-40991
PROJECT Affected
Spring REST Docs
Versions Affected
>=1.0.0 <=3.0.5, =4.0.0
NES Versions Affected
Published date
June 10, 2026
≈ Fix date
June 10, 2026
Fixed in
NES for Spring
Category
Content Spoofing
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.