View all Vulnerabilities

CVE-2026-41000

Authorization Bypass
Affects
Spring Web Services
in
Spring
No items found.
Versions
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Web Services (Spring WS) is a product of the Spring community focused on creating document-driven, contract-first SOAP web services, with built-in support for WS-Security through its integration with Apache WSS4J.

A low-severity vulnerability (CVE-2026-41000) has been identified in Spring Web Services. The Wss4jSecurityInterceptor did not wire Apache WSS4J ReplayCache instances into the validation pipeline. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and SAML one-time-use assertions could be ineffective even when operators configured a replay cache on the interceptor, allowing attackers to re-submit still-valid cryptographic material within the acceptance window.

Per OWASP, permitting replay attacks is a form of identification and authentication failure: an application that fails to detect the re-submission of previously used credentials or messages allows an attacker to re-use valid authentication material they have captured.

This issue affects >=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, and >=5.0.0 <=5.0.1 of Spring Web Services.

Details

Module Info

Vulnerability Info

WS-Security relies on replay detection to stop an attacker from capturing a valid SOAP message and submitting it again. Apache WSS4J implements this with ReplayCache instances that record previously seen UsernameToken nonces, message timestamps, and SAML OneTimeUse assertions, rejecting any message whose token has already been processed.

In affected versions of Spring Web Services, the Wss4jSecurityInterceptor builds the WSS4J RequestData object for inbound message validation in its initializeValidationRequestData method without attaching any replay cache:

protected RequestData initializeValidationRequestData(MessageContext messageContext) {
    RequestData requestData = new RequestData();
    requestData.setMsgContext(messageContext);

    requestData.setWssConfig(wssConfig);
    requestData.setDecCrypto(validationDecryptionCrypto);
    requestData.setSigVerCrypto(validationSignatureCrypto);
    requestData.setCallbackHandler(validationCallbackHandler);

    messageContext.setProperty(WSHandlerConstants.TTL_TIMESTAMP, Integer.toString(validationTimeToLive));

    requestData.setTimeStampStrict(timestampStrict);
    requestData.setTimeStampTTL(validationTimeToLive);
    requestData.setTimeStampFutureTTL(futureTimeToLive);

    // ... no replay cache is ever set on requestData
    return requestData;
}

Because RequestData carries no ReplayCache, the WSS4J validators have no cross-request store of previously seen nonces, timestamps, or one-time-use assertions. Any captured message whose timestamp or nonce is still inside the configured time-to-live acceptance window (300 seconds by default) validates successfully again on every re-submission. An attacker positioned to observe a valid message can therefore replay authenticated or signed requests against the service for the remainder of the acceptance window.

The conditions for exploitation are: the service validates WS-Security constructs that rely on replay detection (username tokens with nonces, timestamps, or SAML one-time-use assertions), the service accepts repeated SOAP messages over the network, and the deployment expects WSS4J replay caches to be enforced.

The remediation wires configurable ReplayCache instances into RequestData during validation, so nonce, timestamp, and SAML one-time-use replay checks run across requests, and introduces Spring-friendly cache implementations for single-node and distributed deployments.

Mitigation

The Spring Web Services 2.4.x, 3.1.x, and 4.0.x release lines are End-of-Life and have no publicly available fix. Affected users should not attempt to author their own patches.

Recommended actions:

  1. Upgrade to a supported, fixed Spring Web Services release (5.0.2 or 4.1.4).
  2. If upgrading is not feasible because you depend on an End-of-Life release line, obtain a supported, patched build through a commercial support partner like HeroDevs Never-Ending Support (NES).
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
ID
CVE-2026-41000
PROJECT Affected
Spring Web Services
Versions Affected
>=2.4.0 <=2.4.7, >=3.1.0 <=3.1.8, >=4.0.0 <=4.0.18, >=4.1.0 <=4.1.3, >=5.0.0 <=5.0.1
NES Versions Affected
Published date
June 16, 2026
≈ Fix date
June 16, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.