View all Vulnerabilities

CVE-2026-41003

Cross-Site Scripting
Affects
Spring Security
in
Spring
No items found.
Versions
>=5.5.0 <=5.5.8, >=5.7.0 <=5.7.23, >=5.8.0 <=5.8.25, >=6.2.0 <=6.2.8, >=6.3.0 <=6.3.16, >=6.4.0 <=6.4.16, >=6.5.0 <=6.5.10, >=7.0.0 <=7.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Security is the de facto authentication and access-control framework for Spring applications, providing login, authorization, CSRF protection, and protocol integrations including SAML 2.0 single sign-on. Its spring-security-saml2-service-provider module lets an application act as a SAML 2.0 service provider, exchanging authentication and logout messages with an identity provider (the asserting party) described by a RelyingPartyRegistration. When the SAML POST binding is used, the relevant Spring Security servlet filters return a small self-submitting HTML form that auto-posts the SAML message to the identity provider's service location.

A high-severity vulnerability (CVE-2026-41003) has been identified in how those filters build that HTML page. The form action URL is taken from the RelyingPartyRegistration (the asserting party's single sign-on or single logout service location) and concatenated into the page without HTML encoding, even though the SAML message and relay-state values in the same form are escaped. An attacker who is able to influence the values in a RelyingPartyRegistration, for example by controlling or tampering with the asserting-party metadata the service provider ingests, can break out of the action attribute and inject arbitrary markup or script into the page in the service provider’s origin.

Per OWASP, Cross-Site Scripting (XSS) is an attack in which "malicious scripts are injected into otherwise benign and trusted websites," allowing an attacker to "send malicious code, generally in the form of a browser side script, to a different end user." Here the injected payload is the relying party's service-location URL: because it is written into the form action attribute without encoding, a value containing a quote and a script tag escapes the attribute and runs in the user's session.

The CVSS v3.1 vector for this vulnerability is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N (High, base score 7.6). The attack vector is Network and complexity is Low; the attacker needs the limited privilege of influencing relying-party values and the victim must load the generated page; the injected content then runs in the service provider's origin, hence the high confidentiality impact and changed scope.

This issue affects >=5.5.0 <=5.5.8, >=5.7.0 <=5.7.23, >=5.8.0 <=5.8.25, >=6.2.0 <=6.2.8, >=6.3.0 <=6.3.16, >=6.4.0 <=6.4.16, >=6.5.0 <=6.5.10, and >=7.0.0 <=7.0.5 of Spring Security.

Details

Module Info

Vulnerability Info

The vulnerability is in the SAML 2.0 service-provider filters that implement the SAML POST binding: Saml2WebSsoAuthenticationRequestFilter for outbound authentication requests, and Saml2LogoutRequestFilter and Saml2RelyingPartyInitiatedLogoutSuccessHandler for logout. Each builds a self-submitting HTML form in a private createSamlPostRequestFormData method by appending fixed HTML fragments and request-derived values to a StringBuilder.

The values that originate from the SAML message itself, SAMLRequest, SAMLResponse, and RelayState, are passed through HtmlUtils.htmlEscape(...) before being written into the hidden <input> fields. The form action URL, however, is appended directly:

String authenticationRequestUri = authenticationRequest.getAuthenticationRequestUri();
StringBuilder html = new StringBuilder();
...
html.append("        <form action=\"");
html.append(authenticationRequestUri);
html.append("\" method=\"post\">\n");
...
html.append("                <input type=\"hidden\" name=\"SAMLRequest\" value=\"");
html.append(HtmlUtils.htmlEscape(samlRequest));
html.append("\"/>\n");

The authenticationRequestUri (and, in the logout filters, the location / response-location value) comes from the RelyingPartyRegistration asserting-party details, which are commonly populated from identity-provider metadata or a dynamic registration repository. When an attacker can influence those values, a service location such as a URL containing a double quote followed by a <script> element terminates the action attribute and injects attacker-controlled HTML into the page. Because the page is served from the service provider's own origin, the attacker can inject arbitrary markup into the victim's session, hijacking the auto-submit form's destination or executing script in the victim's authenticated context.

The fix leverages HTML-encoding in the form action URL before it is written to the page. This is the same HtmlUtils.htmlEscape(...) treatment already applied to the SAML message and relay-state. So, the relying-party URL containing HTML metacharacters can no longer break out of the attribute. 

Mitigation

Only recent versions of Spring Security receive community support and updates. Older versions have no publicly available fixes for this vulnerability.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a currently supported version of Spring Security. The OSS fixes are included in Spring Security 6.5.11 (6.5.x line) and 7.0.6 (7.0.x line).
  • Leverage a commercial support partner like HeroDevs for post-EOL security support through Never-Ending Support (NES) for Spring Security. Learn more about HeroDevs Never-Ending Support for Spring Security and request coverage at https://www.herodevs.com/support/spring-nes

Credits

  • No public credit was provided in the vendor advisory.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-41003
PROJECT Affected
Spring Security
Versions Affected
>=5.5.0 <=5.5.8, >=5.7.0 <=5.7.23, >=5.8.0 <=5.8.25, >=6.2.0 <=6.2.8, >=6.3.0 <=6.3.16, >=6.4.0 <=6.4.16, >=6.5.0 <=6.5.10, >=7.0.0 <=7.0.5
NES Versions Affected
Published date
June 15, 2026
≈ Fix date
June 15, 2026
Fixed in
NES for Spring
Category
Cross-Site Scripting
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.