View all Vulnerabilities

CVE-2026-40999

Information Exposure
Affects
Spring Web Services
in
Spring
No items found.
Versions
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Web Services (Spring WS) is a product for building document-driven, contract-first SOAP web services, providing WS-Addressing, WS-Security, and message-mapping support on top of the Spring Framework. A high-severity vulnerability (CVE-2026-40999) has been identified in its WS-Addressing out-of-band reply handling.

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers, without verifying that those destinations are safe to connect to. A remote attacker can supply crafted addressing headers that cause the server to connect to internal-only hosts, cloud metadata endpoints, or other sensitive destinations, resulting in Server-Side Request Forgery (SSRF).

Per OWASP, Server-Side Request Forgery flaws occur whenever a web application fetches a remote resource without validating the user-supplied destination, allowing an attacker to coerce the application into sending requests to unintended internal services and bypassing network controls such as firewalls.

This issue only affects deployments where an AbstractAddressingEndpointMapping subclass is registered with one or more WebServiceMessageSender instances configured for out-of-band replies, the service accepts WS-Addressing headers from untrusted callers, and no restrictive destination validator or network-level egress control is in place.

This issue affects >=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, and >=5.0.0 <=5.0.1 of Spring Web Services. Versions that are no longer supported are also affected.

Details

Module Info

Vulnerability Info

Spring WS supports WS-Addressing, which lets a SOAP request specify where replies and faults should be delivered through the wsa:ReplyTo and wsa:FaultTo header elements. When a request carries a non-anonymous reply address, the server delivers the response or fault out of band by opening a new outbound connection to that address using one of the configured WebServiceMessageSender instances.

The vulnerability is in the out-of-band send path of AddressingEndpointInterceptor. The interceptor took the reply endpoint address straight from the attacker-influenced addressing header and asked each configured sender only whether it could handle the URI, then opened a connection to it:

boolean supported = false;
for (WebServiceMessageSender messageSender : this.messageSenders) {
    if (messageSender.supports(replyEpr.getAddress())) {
        supported = true;
        try (WebServiceConnection connection = messageSender.createConnection(replyEpr.getAddress())) {
            connection.send(messageContext.getResponse());
            break;
        }
    }
}

The supports(URI) check only confirmed that a sender understood the transport (for example, that a URI used the http scheme), not that the destination was safe to reach. A remote, peer-supplied destination was treated identically to an application-chosen one, so the server would open a connection to whatever host the attacker named, including loopback addresses, private network ranges, and cloud metadata endpoints. Because authentication-related ordering was not enforced, a request that failed WS-Security validation could still trigger fault delivery to an attacker-supplied wsa:FaultTo address.

The remediation distinguishes the origin of a destination URI: application-controlled destinations retain their existing behavior, while peer-supplied wsa:ReplyTo and wsa:FaultTo URIs are classified as remote and subjected to stricter validation before any connection is opened. Per-transport default checks were added (HTTP host and literal-IP screening that rejects private IPv4 literals and disables DNS resolution by default to mitigate DNS rebinding, JMS destination-name screening, mail host rules, and XMPP domain alignment), composable with an optional destination policy. WS-Security interceptors are also ordered to run before WS-Addressing processing so that requests failing authentication cannot trigger out-of-band delivery.

If upgrading is not possible, deployments can restrict the destinations each configured sender accepts by overriding its supports method to allowlist known-safe destinations, applying the same pattern to every configured sender type such as HttpUrlConnectionMessageSender, JmsMessageSender, and MailMessageSender.

Mitigation

Spring Web Services lines 4.0.x and 3.1.x, along with all earlier versions, are End-of-Life and have no publicly available fix for this vulnerability. Information about Spring Web Services support timelines is available at https://spring.io/projects/spring-ws.

To remediate this vulnerability, we recommend one of the following:

  1. Upgrade to a supported, fixed version of Spring Web Services (5.0.2 or 4.1.4, or later).
  2. If you are running an End-of-Life version that cannot be upgraded, adopt HeroDevs Never-Ending Support (NES) for Spring, which provides drop-in secure replacements for End-of-Life Spring Web Services releases.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-40999
PROJECT Affected
Spring Web Services
Versions Affected
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
NES Versions Affected
Published date
June 11, 2026
≈ Fix date
June 11, 2026
Fixed in
NES for Spring
Category
Information Exposure
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.