Vulnerability Directory | CVE-2026-40996

Overview

Spring Web Services (Spring WS) is a product of the Spring community focused on creating document-driven, contract-first SOAP web services; its spring-ws-security module integrates Apache WSS4J to apply and validate WS-Security on SOAP messages. A medium-severity vulnerability (CVE-2026-40996) has been identified in the Wss4jSecurityInterceptor, which defaulted its allowRSA15KeyTransportAlgorithm setting to true, overriding Apache WSS4J's safer default for inbound validation. As a result, inbound WS-Security decryption accepted encrypted key material using the legacy RSA PKCS#1 v1.5 key transport algorithm unless operators explicitly reconfigured the flag, increasing exposure to attacks that target that construction from man-in-the-middle or oracle-capable positions.

Per OWASP, Cryptographic Failures cover failures related to cryptography that often lead to exposure of sensitive data, including the use of weak or deprecated cryptographic algorithms and protocols that should no longer be accepted.

This issue affects >=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, and >=5.0.0 <=5.0.1 of Spring Web Services. Versions that are no longer supported are also affected.

‍

Details

Module Info

Product: Spring Web Services
Affected packages: spring-ws-security
Affected versions: >=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
GitHub repository: https://github.com/spring-projects/spring-ws
Published packages: https://central.sonatype.com/artifact/org.springframework.ws/spring-ws-security
Package manager: Maven
Fixed in:
NES for Spring Web Services 2.4.x, 3.1.x, 4.0.x
Spring Web Services 5.0.2, 4.1.4 (OSS)

Vulnerability Info

The Wss4jSecurityInterceptor in the spring-ws-security module delegates WS-Security processing of inbound SOAP messages to Apache WSS4J. WSS4J deliberately rejects the RSA PKCS#1 v1.5 key transport algorithm (http://www.w3.org/2001/04/xmlenc#rsa-1_5) by default when validating encrypted messages, because that legacy construction is susceptible to Bleichenbacher-style padding-oracle attacks that can let an attacker recover the symmetric key protecting the message.

Spring WS overrode that safer default. The interceptor declared its allowRSA15KeyTransportAlgorithm field as true:‍

// Allow RSA 15 to maintain default behavior
private boolean allowRSA15KeyTransportAlgorithm = true;

‍

and propagated it into the WSS4J validation configuration:

requestData.setAllowRSA15KeyTransportAlgorithm(allowRSA15KeyTransportAlgorithm);

Consequently, any application that performed inbound XML decryption or key transport through Spring WS accepted rsa-1_5 encrypted key material out of the box. An attacker in a man-in-the-middle or oracle-capable position, interacting with peers that negotiate or emit RSA v1.5 key transport, could exploit the weaker algorithm choice to attack the confidentiality and integrity of encrypted exchanges. The remediation changes the default to false, matching Apache WSS4J, so inbound RSA PKCS#1 v1.5 key transport is rejected unless an operator explicitly opts in via setAllowRSA15KeyTransportAlgorithm.

‍

Mitigation

The affected Spring Web Services lines that are End-of-Life will not receive further public security updates. The 3.1.x and 4.0.x lines in particular have no publicly available fix. Information about Spring Web Services support timelines is available at https://spring.io/projects/spring-ws.

Users should take one of the following actions:

Upgrade to a supported fixed version where one is publicly available: Spring Web Services 5.0.2 or 4.1.4.
For End-of-Life lines that have no publicly available fix, obtain continued security support through a commercial support partner like HeroDevs. NES for Spring Web Services provides a drop-in patched build for affected lines.

If an immediate upgrade is not possible, users can explicitly reject RSA PKCS#1 v1.5 key transport by calling setAllowRSA15KeyTransportAlgorithm(false) on the Wss4jSecurityInterceptor.