CVE-2026-40988
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory.
Risk Assessment
An attacker can send a specially crafted compressed SAML request that, upon decompression, consumes excessive memory, leading to resource exhaustion and denial of service.
Recommendation
It is recommended to immediately upgrade Spring Security to versions 5.7.24, 5.8.26, 6.3.17, 6.4.17, 6.5.11, or 7.0.6, which include a fix limiting the decompressed payload size.
Original NVD description (English source)
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.

