View all Vulnerabilities

CVE-2026-40994

Signature Forgery
Affects
Spring Web Services
in
Spring
No items found.
Versions
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Web Services (Spring WS) is a product of the Spring community focused on creating document-driven, contract-first SOAP web services. Its spring-ws-security module integrates Apache WSS4J so that applications can sign, encrypt, and validate SOAP messages according to the WS-Security standard, with Wss4jSecurityInterceptor acting as the central interceptor for securing outgoing messages and validating incoming ones.

A high-severity vulnerability (CVE-2026-40994) has been identified in Spring Web Services. The Wss4jSecurityInterceptor initialized its WS-I Basic Security Profile (BSP) compliance flag to false, so inbound validation always disabled WSS4J's BSP enforcement, contradicting both the documented default of the setBspCompliant setter and WSS4J's own secure default. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules around signatures and related constructs, weakening protocol-level checks that are meant to constrain interoperable, safe use of WS-Security.

Per OWASP, this class of weakness falls under cryptographic failures, which cover failures related to cryptography such as improper verification of cryptographic signatures, and which often lead to exposure of sensitive data or system compromise. The WS-I Basic Security Profile exists precisely to rule out ambiguous and abuse-prone WS-Security constructs, such as non-standard signature transforms, and disabling its enforcement allows messages using those constructs to pass validation.

This issue affects versions >=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1 of Spring Web Services.

Details

Module Info

Vulnerability Info

Wss4jSecurityInterceptor exposes a setBspCompliant(boolean) property whose Javadoc documents the default as true, matching Apache WSS4J's secure default of enforcing the WS-I Basic Security Profile during validation. The backing field, however, was declared without an initializer and therefore defaulted to false:

private boolean bspCompliant;

When the interceptor prepares the WSS4J RequestData for inbound validation, it propagates the inverse of that flag:

requestData.setDisableBSPEnforcement(!this.bspCompliant);
if (requestData.getBSPEnforcer() != null) {
    requestData.getBSPEnforcer().setDisableBSPRules(!this.bspCompliant);
}


With bspCompliant defaulting to false, every inbound validation ran with setDisableBSPEnforcement(true), silently turning off WSS4J's Basic Security Profile checks unless the application explicitly called setBspCompliant(true). The BSP rules constrain how WS-Security elements such as signatures, transforms, and references may be expressed, and WSS4J relies on them to reject ambiguous or known-dangerous constructs. With enforcement disabled, an attacker who can send SOAP messages to a service that uses Wss4jSecurityInterceptor for inbound validation can craft messages that deviate from the profile, for example by using non-standard transforms or unusual signature structures, and have them accepted by checks that were expected to reject them. This primarily undermines the integrity guarantees that WS-Security validation is supposed to provide.

The remediation initializes the flag to true so that BSP enforcement is on by default, aligning the actual behavior with the published setter contract and with WSS4J. Applications that must interoperate with peers that intentionally deviate from BSP rules can still opt out explicitly by calling setBspCompliant(false).

Mitigation

Spring Web Services 4.0.x, 3.1.x, and all older lines, including 2.4.x, are End-of-Life for open source users and have no publicly available fix for this issue. For support timeline information, see https://spring.io/projects/spring-ws.

Affected users should:

  1. Upgrade to a supported release line that contains the fix (Spring Web Services 5.0.2 or 4.1.4).
  2. For applications that must remain on an End-of-Life line, use HeroDevs Never-Ending Support (NES) for Spring Web Services, which provides a backported fix for this vulnerability without requiring a major upgrade. Learn more about HeroDevs Never-Ending Support for Spring Web Services and request coverage at https://www.herodevs.com/support/spring-nes.

As an interim hardening measure on any version, explicitly call setBspCompliant(true) on every Wss4jSecurityInterceptor used for inbound validation. Note that after applying the fix or enabling BSP compliance, messages from peers that violate the WS-I Basic Security Profile will be rejected; peers should be brought into compliance rather than disabling enforcement.

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-41701
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-40994
PROJECT Affected
Spring Web Services
Versions Affected
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Signature Forgery
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.